Windows Analysis Report
Order 24007219.exe

Overview

General Information

Sample name:	Order 24007219.exe
Analysis ID:	1416957
MD5:	e77f0d830d8353f748f97ea6c692b7f7
SHA1:	7202eec3edccf41aa004e542c1956533b9ac8c01
SHA256:	2c39793aee8f8966937d52468306f422151978e4b43d665a09f78e5c91fe5401
Tags:	exeNeshta
Infos:

Detection

AgentTesla, Neshta, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Neshta

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Creates an undocumented autostart registry key

Drops PE files with a suspicious file extension

Drops executable to a common third party application directory

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Infects executable files (exe, dll, sys, html)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

PE file overlay found

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Classes Autorun Keys Modification

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
neshta	Neshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."	No Attribution	https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html https://www.mandiant.com/resources/pe-file-infecting-malware-ot https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest https://www.virusradar.com/en/Win32_Neshta.A/description	https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Order 24007219.exe

Avira: detected

Found malware configuration

Source: Order 24007219.exe.5948.0.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.toliddaru.ir", "Username": "phtd@toliddaru.ir", "Password": "Aa@1401"}

Multi AV Scanner detection for submitted file

Source: Order 24007219.exe	ReversingLabs: Detection: 57%
Source: Order 24007219.exe	Virustotal: Detection: 59%			Perma Link

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Order 24007219.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Order 24007219.exe

Unpacked PE file: 0.2.Order 24007219.exe.100000.0.unpack

Uses 32bit PE files

Source: Order 24007219.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Order 24007219.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe.3.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.3.dr
Source:	Binary string: NisSrv.pdb source: NisSrv.exe.3.dr
Source:	Binary string: mpextms.pdb source: mpextms.exe.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb source: OSPPREARM.EXE.3.dr
Source:	Binary string: MicrosoftEdgeUpdateBroker_unsigned.pdb source: MicrosoftEdgeUpdateBroker.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.3.dr
Source:	Binary string: osppsvc.pdb source: OSPPSVC.EXE.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdb source: msedge_proxy.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\msohtmed.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSOHTMED.EXE0.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController64.exe.3.dr
Source:	Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdateOnDemand.exe.3.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdb source: MicrosoftEdgeComRegisterShellARM64.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdbOGP source: msedge.exe0.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdbOGP source: msedge_proxy.exe.3.dr
Source:	Binary string: D:\a\_work\1\s\bin\x86\Release\Product\Binaries\Client\bin\Microsoft.Mashup.Container.Loader.pdb source: Microsoft.Mashup.Container.Loader.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\msohtmed.pdb source: MSOHTMED.EXE0.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdbbroker.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OfficeScrSanBroker.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdb source: msedge.exe0.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdb source: OfficeScrSanBroker.exe.3.dr
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: chrome.exe.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: Integrator.exe.3.dr
Source:	Binary string: r.pdb source: AppSharingHookController64.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController64.exe.3.dr
Source:	Binary string: MsMpEng.pdbGCTL source: MsMpEng.exe.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: Integrator.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoadfsb.pdbdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoadfsb.exe.3.dr
Source:	Binary string: mi_exe_stub.pdb source: MicrosoftEdgeUpdateSetup.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.3.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.3.dr
Source:	Binary string: GoogleUpdate_unsigned.pdb source: GoogleUpdate.exe.3.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdbh source: MicrosoftEdgeComRegisterShellARM64.exe.3.dr
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe.3.dr, MpCmdRun.exe0.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb source: LICLUA.EXE.3.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb+ source: ai.exe.3.dr
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe.3.dr, MpCmdRun.exe0.3.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\outlook\x-none\olcfg.pdb source: OLCFG.EXE.3.dr
Source:	Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.3.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.3.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb source: ai.exe.3.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.3.dr
Source:	Binary string: lper.pdb source: SDXHelper.exe.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: LICLUA.EXE.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OSPPREARM.EXE.3.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.3.dr
Source:	Binary string: NisSrv.pdbGCTL source: NisSrv.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.3.dr
Source:	Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.3.dr
Source:	Binary string: MsMpEng.pdb source: MsMpEng.exe.3.dr
Source:	Binary string: mpextms.pdbGCTL source: mpextms.exe.3.dr
Source:	Binary string: broker.pdb source: OfficeScrSanBroker.exe.3.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: javaw.exe.3.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\outlook\x-none\olcfg.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OLCFG.EXE.3.dr
Source:	Binary string: D:\a\_work\1\s\bin\x86\Release\Product\Binaries\Client\bin\Microsoft.Mashup.Container.Loader.pdb.. source: Microsoft.Mashup.Container.Loader.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoadfsb.pdb source: msoadfsb.exe.3.dr

Spreading

Yara detected Neshta

Source: Yara match	File source: 3.2.Order 24007219.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Order 24007219.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1977733940.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2389620654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order 24007219.exe PID: 4028, type: MEMORYSTR

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00405080 FindFirstFileA,FindNextFileA,FindClose,	3_2_00405080
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00405634 FindFirstFileA,FindNextFileA,FindClose,	3_2_00405634
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00404F6C FindFirstFileA,FindClose,	3_2_00404F6C
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,	3_2_004056A7

Source: C:\Users\user\Desktop\Order 24007219.exe

Code function: 3_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,

3_2_00406D40

Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 4x nop then jmp 07455D3Ah	0_2_0745533C
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 4x nop then jmp 07455D3Ah	0_2_07455641
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 4x nop then xor edx, edx	0_2_08CD90C0
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_08CD6990
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_08CD8E68
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_08CD8E68
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_08CD9188
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_08CD9188

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE

Source: Integrator.exe.3.dr	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: OfficeScrSanBroker.exe.3.dr	String found in binary or memory: http://SoftwareMicrosoft16.0CommonDebugHKEY_LOCAL_MACHINEHKEY_CURRENT_USER
Source: msoadfsb.exe.3.dr	String found in binary or memory: http://aka.ms/sdxdebug
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Au3Check.exe.3.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Au3Check.exe.3.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Au3Check.exe.3.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Au3Check.exe.3.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Au3Check.exe.3.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: armsvc.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: armsvc.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: jusched.exe.3.dr	String found in binary or memory: http://es5.github.io/#x15.4.4.21
Source: MSOHTMED.EXE0.3.dr	String found in binary or memory: http://https://ftp://.htmlGot
Source: Order 24007219.exe, 00000003.00000002.2389737039.00000000012F0000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Au3Check.exe.3.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Au3Check.exe.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Au3Check.exe.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Au3Check.exe.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Au3Check.exe.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Au3Check.exe.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: jusched.exe.3.dr	String found in binary or memory: http://stackoverflow.com/a/1465386/4224163
Source: jusched.exe.3.dr	String found in binary or memory: http://stackoverflow.com/a/15123777)
Source: jusched.exe.3.dr	String found in binary or memory: http://stackoverflow.com/questions/1026069/capitalize-the-first-letter-of-string-in-javascript
Source: jusched.exe.3.dr	String found in binary or memory: http://stackoverflow.com/questions/1068834/object-comparison-in-javascript
Source: jusched.exe.3.dr	String found in binary or memory: http://www.computerhope.com/forum/index.php?topic=76293.0
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: jusched.exe.3.dr	String found in binary or memory: http://www.tutorialspoint.com/javascript/array_map.htm
Source: Order 24007219.exe, 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: msedge.exe0.3.dr	String found in binary or memory: https://crashpad.chromium.org/
Source: msedge.exe0.3.dr	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: msedge.exe0.3.dr	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: jusched.exe.3.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/Reduce
Source: jusched.exe.3.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/filter
Source: jusched.exe.3.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/indexOf
Source: jusched.exe.3.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/Trim
Source: jusched.exe.3.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith
Source: jusched.exe.3.dr	String found in binary or memory: https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith
Source: msedge.exe0.3.dr, msedge_proxy.exe.3.dr, identity_helper.exe.3.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: msedge.exe0.3.dr, msedge_proxy.exe.3.dr, identity_helper.exe.3.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: jusched.exe.3.dr	String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-%s.xml
Source: jusched.exe.3.dr	String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xml
Source: jusched.exe.3.dr	String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xmlhttps://javadl-esd-secure.oracle.com/upda
Source: Integrator.exe.3.dr	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: Integrator.exe.3.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: NisSrv.exe.3.dr	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: NisSrv.exe.3.dr	String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: NisSrv.exe.3.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: Au3Check.exe.3.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Au3Check.exe.3.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Installs a raw input device (often for capturing keystrokes)

Source: OfficeScrSanBroker.exe.3.dr

Binary or memory string: RegisterRawInputDevices

memstr_64e62b24-2

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.Order 24007219.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Neshta Author: ditekSHen
Source: 3.2.Order 24007219.exe.40a698.0.unpack, type: UNPACKEDPE	Matched rule: Detects Neshta Author: ditekSHen
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Neshta Author: ditekSHen
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Neshta Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Order 24007219.exe

Creates files inside the system directory

Source: C:\Users\user\Desktop\Order 24007219.exe

File created: C:\Windows\svchost.com

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_024013D0	0_2_024013D0
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_024033F8	0_2_024033F8
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02401B90	0_2_02401B90
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02400878	0_2_02400878
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02402549	0_2_02402549
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02405A4A	0_2_02405A4A
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02404279	0_2_02404279
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_024032E9	0_2_024032E9
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02404288	0_2_02404288
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02403310	0_2_02403310
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_0240133E	0_2_0240133E
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02405881	0_2_02405881
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02405890	0_2_02405890
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_0240EE58	0_2_0240EE58
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02405620	0_2_02405620
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02405630	0_2_02405630
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02405440	0_2_02405440
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02405430	0_2_02405430
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_07456B88	0_2_07456B88
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_07453610	0_2_07453610
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_07451061	0_2_07451061
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_07451070	0_2_07451070
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_07450C38	0_2_07450C38
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_074514A8	0_2_074514A8
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_074530B0	0_2_074530B0
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CDA910	0_2_08CDA910
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CDACB8	0_2_08CDACB8
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CD0040	0_2_08CD0040
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CD9868	0_2_08CD9868
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CD0006	0_2_08CD0006
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CD7400	0_2_08CD7400
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CD7410	0_2_08CD7410
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CD56E9	0_2_08CD56E9
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CD9E68	0_2_08CD9E68

PE file does not import any functions

Source: msoasb.exe.3.dr	Static PE information: No import functions for PE file found
Source: ai.exe.3.dr	Static PE information: No import functions for PE file found
Source: mpextms.exe.3.dr	Static PE information: No import functions for PE file found
Source: filecompare.exe.3.dr	Static PE information: No import functions for PE file found
Source: chrome.exe.3.dr	Static PE information: No import functions for PE file found
Source: MsMpEng.exe.3.dr	Static PE information: No import functions for PE file found
Source: IEContentService.exe.3.dr	Static PE information: No import functions for PE file found
Source: integrator.exe.3.dr	Static PE information: No import functions for PE file found
Source: VC_redist.x64.exe.3.dr	Static PE information: No import functions for PE file found
Source: msoadfsb.exe.3.dr	Static PE information: No import functions for PE file found
Source: ConfigSecurityPolicy.exe.3.dr	Static PE information: No import functions for PE file found
Source: PerfBoost.exe.3.dr	Static PE information: No import functions for PE file found
Source: MpDlpCmd.exe.3.dr	Static PE information: No import functions for PE file found
Source: misc.exe.3.dr	Static PE information: No import functions for PE file found
Source: msoev.exe.3.dr	Static PE information: No import functions for PE file found
Source: lync99.exe.3.dr	Static PE information: No import functions for PE file found
Source: SDXHelper.exe.3.dr	Static PE information: No import functions for PE file found
Source: MpCmdRun.exe0.3.dr	Static PE information: No import functions for PE file found
Source: MpCmdRun.exe.3.dr	Static PE information: No import functions for PE file found
Source: aimgr.exe.3.dr	Static PE information: No import functions for PE file found
Source: MpCopyAccelerator.exe.3.dr	Static PE information: No import functions for PE file found
Source: NisSrv.exe.3.dr	Static PE information: No import functions for PE file found
Source: UcMapi.exe.3.dr	Static PE information: No import functions for PE file found
Source: Wordconv.exe.3.dr	Static PE information: No import functions for PE file found

PE file overlay found

Source: msoasb.exe.3.dr	Static PE information: Data appended to the last section found
Source: ai.exe.3.dr	Static PE information: Data appended to the last section found
Source: filecompare.exe.3.dr	Static PE information: Data appended to the last section found
Source: chrome.exe.3.dr	Static PE information: Data appended to the last section found
Source: MsMpEng.exe.3.dr	Static PE information: Data appended to the last section found
Source: IEContentService.exe.3.dr	Static PE information: Data appended to the last section found
Source: VC_redist.x64.exe.3.dr	Static PE information: Data appended to the last section found
Source: ConfigSecurityPolicy.exe.3.dr	Static PE information: Data appended to the last section found
Source: PerfBoost.exe.3.dr	Static PE information: Data appended to the last section found
Source: MpDlpCmd.exe.3.dr	Static PE information: Data appended to the last section found
Source: msoev.exe.3.dr	Static PE information: Data appended to the last section found
Source: lync99.exe.3.dr	Static PE information: Data appended to the last section found
Source: SDXHelper.exe.3.dr	Static PE information: Data appended to the last section found
Source: aimgr.exe.3.dr	Static PE information: Data appended to the last section found
Source: MpCopyAccelerator.exe.3.dr	Static PE information: Data appended to the last section found
Source: Wordconv.exe.3.dr	Static PE information: Data appended to the last section found

Sample file is different than original file name gathered from version info

Source: Order 24007219.exe, 00000000.00000002.1983313326.0000000008F20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Order 24007219.exe
Source: Order 24007219.exe, 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Order 24007219.exe
Source: Order 24007219.exe, 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename76efe27d-13bf-4b49-bffa-4e8ceb2fcd72.exe4 vs Order 24007219.exe
Source: Order 24007219.exe, 00000000.00000002.1975425465.000000000078E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Order 24007219.exe
Source: Order 24007219.exe	Binary or memory string: OriginalFilenameEEHT.exe" vs Order 24007219.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: coremessaging.dll	Jump to behavior

Uses 32bit PE files

Source: Order 24007219.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 3.2.Order 24007219.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: 3.2.Order 24007219.exe.40a698.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta

Source: Order 24007219.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, IsrBSgoD3Qo0N51DT1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, IsrBSgoD3Qo0N51DT1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, IsrBSgoD3Qo0N51DT1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	Security API names: _0020.AddAccessRule

Source: 0.2.Order 24007219.exe.2687118.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Order 24007219.exe.7250000.9.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Order 24007219.exe.2667f40.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: MpCmdRun.exe0.3.dr	Binary string: IdImageFileNameFirst Resource TypeTypeScan SourceFirst Resource PathEngineIdResource CountReasonProcessMessagePIDStartStopDataIsSignedFile\Device\\\?\\FI_UNKNOWN\drivers\error: invalid data: System Windows path changed during the trace from "%ls" to "%ls"
Source: msedge.exe0.3.dr	Binary string: @g_interceptionsntdll.dllg_originals\Device\\/?/?\\??\ntdll.dllRtlInitUnicodeStringntdll.dll\KnownDllsDeriveRestrictedAppContainerSidFromAppContainerSidAndRestrictedNameuserenvchromeInstallFileslpacChromeInstallFilesmediaFoundationCdmFileslpacMediaFoundationCdmDatalpacEdgeWdagCommslpacChromeNetworkSandboxKeyg_handles_to_close
Source: OfficeScrSanBroker.exe.3.dr	Binary string: \Device\Afd\WepollNtCreateFilentdll.dllNtReleaseKeyedEventRtlNtStatusToDosErrorNtDeviceIoControlFileNtWaitForKeyedEventNtCreateKeyedEventwsipcudptcppipe_ != NULLopensource\libzmq\src\channel.cpp%s (%s:%d)
Source: msedge.exe0.3.dr	Binary string: \\.\\Device\DeviceApi\Device\DeviceApi\CMApintdll.dllHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXTHKEY_CURRENT_CONFIGHKEY_DYN_DATA\Device\\Device\HarddiskVolume

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@4/156@0/0

Source: C:\Users\user\Desktop\Order 24007219.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order 24007219.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Order 24007219.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Order 24007219.exe

File created: C:\Users\user\AppData\Local\Temp\3582-490

Jump to behavior

Source: Order 24007219.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Order 24007219.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Order 24007219.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Order 24007219.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Integrator.exe.3.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Integrator.exe.3.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Integrator.exe.3.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Integrator.exe.3.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Order 24007219.exe, 00000000.00000002.1977733940.00000000025FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT e.id_empleado AS ID, e.nombre AS NOMBRE, e.apellido AS APELLIDO, e.email AS CORREO, e.telefono AS TELEFONO, t.tipo AS CARGO FROM empleados e INNER JOIN tipo_empleados t ON e.id_tipo_empleado=t.id_tipo_empleado;

Source: Order 24007219.exe	ReversingLabs: Detection: 57%
Source: Order 24007219.exe	Virustotal: Detection: 59%

Source: C:\Users\user\Desktop\Order 24007219.exe

File read: C:\Users\user\Desktop\Order 24007219.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Order 24007219.exe "C:\Users\user\Desktop\Order 24007219.exe"
Source: C:\Users\user\Desktop\Order 24007219.exe	Process created: C:\Users\user\Desktop\Order 24007219.exe "C:\Users\user\Desktop\Order 24007219.exe"
Source: C:\Users\user\Desktop\Order 24007219.exe	Process created: C:\Users\user\Desktop\Order 24007219.exe "C:\Users\user\Desktop\Order 24007219.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Order 24007219.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Order 24007219.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Order 24007219.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Order 24007219.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe.3.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.3.dr
Source:	Binary string: NisSrv.pdb source: NisSrv.exe.3.dr
Source:	Binary string: mpextms.pdb source: mpextms.exe.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb source: OSPPREARM.EXE.3.dr
Source:	Binary string: MicrosoftEdgeUpdateBroker_unsigned.pdb source: MicrosoftEdgeUpdateBroker.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.3.dr
Source:	Binary string: osppsvc.pdb source: OSPPSVC.EXE.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdb source: msedge_proxy.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\msohtmed.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSOHTMED.EXE0.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController64.exe.3.dr
Source:	Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdateOnDemand.exe.3.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdb source: MicrosoftEdgeComRegisterShellARM64.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdbOGP source: msedge.exe0.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdbOGP source: msedge_proxy.exe.3.dr
Source:	Binary string: D:\a\_work\1\s\bin\x86\Release\Product\Binaries\Client\bin\Microsoft.Mashup.Container.Loader.pdb source: Microsoft.Mashup.Container.Loader.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\msohtmed.pdb source: MSOHTMED.EXE0.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdbbroker.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OfficeScrSanBroker.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdb source: msedge.exe0.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdb source: OfficeScrSanBroker.exe.3.dr
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: chrome.exe.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: Integrator.exe.3.dr
Source:	Binary string: r.pdb source: AppSharingHookController64.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController64.exe.3.dr
Source:	Binary string: MsMpEng.pdbGCTL source: MsMpEng.exe.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: Integrator.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoadfsb.pdbdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoadfsb.exe.3.dr
Source:	Binary string: mi_exe_stub.pdb source: MicrosoftEdgeUpdateSetup.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.3.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.3.dr
Source:	Binary string: GoogleUpdate_unsigned.pdb source: GoogleUpdate.exe.3.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdbh source: MicrosoftEdgeComRegisterShellARM64.exe.3.dr
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe.3.dr, MpCmdRun.exe0.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb source: LICLUA.EXE.3.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb+ source: ai.exe.3.dr
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe.3.dr, MpCmdRun.exe0.3.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\outlook\x-none\olcfg.pdb source: OLCFG.EXE.3.dr
Source:	Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.3.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.3.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb source: ai.exe.3.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.3.dr
Source:	Binary string: lper.pdb source: SDXHelper.exe.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: LICLUA.EXE.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OSPPREARM.EXE.3.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.3.dr
Source:	Binary string: NisSrv.pdbGCTL source: NisSrv.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.3.dr
Source:	Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.3.dr
Source:	Binary string: MsMpEng.pdb source: MsMpEng.exe.3.dr
Source:	Binary string: mpextms.pdbGCTL source: mpextms.exe.3.dr
Source:	Binary string: broker.pdb source: OfficeScrSanBroker.exe.3.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: javaw.exe.3.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\outlook\x-none\olcfg.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OLCFG.EXE.3.dr
Source:	Binary string: D:\a\_work\1\s\bin\x86\Release\Product\Binaries\Client\bin\Microsoft.Mashup.Container.Loader.pdb.. source: Microsoft.Mashup.Container.Loader.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoadfsb.pdb source: msoadfsb.exe.3.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Order 24007219.exe

Unpacked PE file: 0.2.Order 24007219.exe.100000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Order 24007219.exe

Unpacked PE file: 0.2.Order 24007219.exe.100000.0.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	.Net Code: b7IMTZAqZX System.Reflection.Assembly.Load(byte[])
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	.Net Code: b7IMTZAqZX System.Reflection.Assembly.Load(byte[])
Source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, I1Ds3abkUA5mh3kywv.cs	.Net Code: hyVW2X9uL System.Reflection.Assembly.Load(byte[])
Source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, I1Ds3abkUA5mh3kywv.cs	.Net Code: hyVW2X9uL System.Reflection.Assembly.Load(byte[])
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	.Net Code: b7IMTZAqZX System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02406ECB push ebp; retf	0_2_02406ECE
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CD3644 push cs; retf	0_2_08CD3647
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_0040802C push 00408052h; ret	3_2_0040804A
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_004070A4 push 004070D0h; ret	3_2_004070C8
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_004041D8 push 00404204h; ret	3_2_004041FC
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_004041A0 push 004041CCh; ret	3_2_004041C4
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00404256 push 00404284h; ret	3_2_0040427C
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00404258 push 00404284h; ret	3_2_0040427C
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00404210 push 0040423Ch; ret	3_2_00404234
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_004042C8 push 004042F4h; ret	3_2_004042EC
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_0040BA86 push ebp; retf	3_2_0040BAA6
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00404290 push 004042BCh; ret	3_2_004042B4
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00404370 push 0040439Ch; ret	3_2_00404394
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00404300 push 0040432Ch; ret	3_2_00404324
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00404338 push 00404364h; ret	3_2_0040435C
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_004043E0 push 0040440Ch; ret	3_2_00404404
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_004043A8 push 004043D4h; ret	3_2_004043CC
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00406CE0 push 00406D36h; ret	3_2_00406D2E
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00403D28 push 00403D79h; ret	3_2_00403D71
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00403F58 push 00403F84h; ret	3_2_00403F7C
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00403F90 push 00403FBCh; ret	3_2_00403FB4

Source: Order 24007219.exe	Static PE information: section name: .text entropy: 7.905740093495377
Source: VC_redist.x64.exe.3.dr	Static PE information: section name: .text entropy: 7.2127684610603096
Source: chrome.exe.3.dr	Static PE information: section name: .text entropy: 6.832889069116846

Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, SnhHkURaK2jqFElWlcH.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YIDNGpgSYc', 'acgNKTiU4l', 'nDANC649CX', 'I55NghHX9g', 'Rq0NXhSJ1A', 'Sk7Nrfmh69', 'Dh2N8g99Kv'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, byHySoMF6JLHiDjfPZ.cs	High entropy of concatenated method names: 'KnQResrBSg', 'N3QRno0N51', 'PXTRWMshgT', 'bgNR1qijO7', 'pXHR3KlBjW', 'cXNRShAj2H', 'bcNe1jaLp0W64hpfLE', 'cMOF26bRsGYalsTRTu', 'zcUZ6wWYdEshqnQul6', 'CZ8RR8uJ1J'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, xUCw0FQsWcnfHnSTnS.cs	High entropy of concatenated method names: 'vPrdfgoywY', 'Ex5d7VGPo3', 'ha5dThsfyu', 'oe8dpeAtIS', 'lcsdHYy9ws', 'BNudO0ElCn', 'vpjd9O5ZPJ', 'TGxdJhQDjC', 'nbdRJbU6OXpuWqhO0PD', 'JkKT5QUh8yijcLt7bfi'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, s24kBFIxawmUU9l1xn.cs	High entropy of concatenated method names: 'afq0jRv4lc', 'ICs0VZZYCS', 'tRu0iXEUKk', 'H7Q0q45riy', 'kl80dFlfIs', 'cLQ0el9Y1B', 'sIC0n63EYX', 'Has0cgRSYa', 'er50WIxtqZ', 'vwE01XcDgh'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, yU5KEJF70xMfmcjP8q.cs	High entropy of concatenated method names: 'EjKTAcgBb', 'LCVp4Egi3', 'NRuHgnnV3', 'RgSO8hsi7', 'Uib9vscQ4', 'YJDJMSfIx', 'PeMd6CM9xHKFNo6SWR', 'tixQJO55GLiOuDMwgc', 'ylm0GGWDy', 'ruYNxB95o'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, mJJyWXCb6eBlTHe34G.cs	High entropy of concatenated method names: 'ToString', 't6eSYPLIgL', 'CqASEkboXT', 'jGUShP6YlQ', 'RFnSQ2gYBH', 'TaDSsTEFG3', 'jnaSkroptZ', 'XIVSlooKF5', 'npOSu0gyGt', 'LfqSD8KqNt'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	High entropy of concatenated method names: 'UM6avkDbGX', 'aP6ajULk0G', 'cctaVckCda', 'xM6aiJtYpC', 'pa4aqxabv0', 'BbhadB06hA', 'bpAae5Vj44', 'q5ianuTNr7', 'mFAacQ0bYn', 'KpkaWE0RJs'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, vqAdFkVsmIvdbGhKcN.cs	High entropy of concatenated method names: 'Dispose', 'etpRLGShlP', 'tO4FEMBbZZ', 'QCrooccYu0', 'qw2Rm4kBFx', 'dwmRzUU9l1', 'ProcessDialogKey', 'onMFUJhKVC', 'aYsFRuOuhZ', 'MduFFFqrit'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, Cm8FLZ9XTMshgTFgNq.cs	High entropy of concatenated method names: 'WeZipWikWf', 'uftiHS3taC', 'dd5ioK04Os', 'VyHi9V8qi4', 'SYDi3D6Tii', 'TXPiSys0F1', 'mR7ibIDrJQ', 'c0Ii0xQJUw', 'g9riwOPSN4', 'v5JiNcdpVn'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, iVObXtlnbFlrH9KKul.cs	High entropy of concatenated method names: 'WIfejQc2Qe', 'XYMeiu3qOR', 'f4OedgXwrK', 'c81dmMPxQO', 'GeTdzQsViT', 'BKSeUpCVuZ', 'Yp8eRnfuZe', 'F7XeFEOgIs', 'BTFeanh6Qj', 'Cc7eMuIbrd'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, hjO7eeJY9rRrmSXHKl.cs	High entropy of concatenated method names: 'nJbq5DbIOL', 'sg2qOjMP3V', 'z5bih3cObD', 'JFRiQ4srpm', 'nqDisSxwuR', 'DfiikhgZ0N', 'A43iliTBuv', 'kggiuWX5rW', 'VO8iD9YJX2', 'g5FiBcaP5q'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, I9BEaHDjBuiveoxbwC.cs	High entropy of concatenated method names: 'ymke726t7f', 'IEte4rH2Fn', 'GQBeTiv3oS', 'I2yepgHQv2', 'fCNe5htfbg', 'CL6eHswx2h', 'bFQeOU6T6M', 'iUXeo1vT0e', 'MuSe9OgLME', 'p3FeJ3VvSy'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, NjWaXNyhAj2He4H1hT.cs	High entropy of concatenated method names: 'FCddv3r9lP', 'LA6dVajR6p', 's3NdqPbQPg', 'uyWdeyVrl1', 'Df6dnneM3X', 'fZvqXkWRbk', 'aaSqrhmd4q', 'JKBq8y8i7B', 'eEUqIDc9Tv', 'a0RqLmZeew'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, aIAuRbGwMKwUNVfnHA.cs	High entropy of concatenated method names: 'Opl3BuIKir', 'kot3ZOa7HN', 's673GmSGmp', 'wTW3K5bmXt', 'N4L3EEe47M', 'yAB3hMkAWb', 'fXK3Q5mnDl', 'GGg3sQQpy1', 'wHB3kbSra0', 'u2I3lYjenv'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, h4EeY2rXX6BSZ9dsKQ.cs	High entropy of concatenated method names: 'nUibIwEQFK', 'X7ebmQThBh', 'KiF0UOTWB8', 'hgI0RaeGW9', 'Q9CbYtgk4P', 'kYIbZKyv0F', 'Aykb2qeyKq', 'f8lbGbwRXM', 'NRebK19hMV', 'wxYbCJG5Vc'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, zRqnLAgxQJh6HpcqYM.cs	High entropy of concatenated method names: 'g3fbWNRwN5', 'mnQb1JlvVL', 'ToString', 'ifXbjmXDKa', 'YNqbVpkWve', 'maCbiArvc5', 'y4mbqviniH', 'YOKbdDwHE7', 'CWybeFclL0', 'JnTbnbO8oT'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, uGoTVARRlQyUPosZ5fO.cs	High entropy of concatenated method names: 'ToString', 'ynFNadrxq0', 'cclNMRkqhp', 'PZxNv5JYVJ', 'fnTNjZG0Db', 'oPUNVAEnSP', 'PtONiZPQtl', 'RQcNqywM4b', 'bXUu9M2ntMDq6qOUjaQ', 'vGQ5OL2JiyKT2avqX52'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, dJhKVCLRYsuOuhZDdu.cs	High entropy of concatenated method names: 'aE80yB6JGo', 'Xmb0ERjZLH', 'Neq0hrKQeN', 'FBx0QFMS5j', 'ktA0GtQbWf', 'Hck0sjW133', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, mFN9Pti7ykBxr7C8Rv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'yK8FLHKINM', 'qePFm0kCT3', 'QC3FzIQD1g', 'PtXaUtwTJ6', 'w9qaRRMsk0', 'XI8aFX4J3b', 'EUMaaHZ24e', 'ycCrusHBw5tbAYZ624T'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, fD2Zjy2djFNkjNbMfG.cs	High entropy of concatenated method names: 'bZ9xoGuIcN', 'Stpx9bkvQV', 'dGPxyF9Zru', 'Y9BxElxOGy', 'TboxQIWWN0', 'wg1xsXPWDs', 'fSMxlqxcVQ', 'K1yxuiSj9D', 'Ch4xBBtRbY', 'U4exYLQU0n'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, Mw637kRUJhKmvoClVm7.cs	High entropy of concatenated method names: 'pfjw7nfjvW', 'CPGw4aaDYM', 'fu8wTF7yK8', 'TEwwpWdR27', 'jg9w59BC7L', 'M0SwHT6IQA', 'yBSwOFMPRM', 'wpOwosJwVw', 'mF5w9kKyF1', 'INswJlwW14'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, IsrBSgoD3Qo0N51DT1.cs	High entropy of concatenated method names: 'gcyVGtuouC', 'LcHVKy6Ptv', 'ILdVCAf8QJ', 'kcMVgXwFHX', 'bMSVXW2cdF', 'PuOVrQtvAs', 'FKHV8fUJRi', 'VZnVIbgx3Y', 'IqUVLnywme', 'sRbVmiasQ3'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, cqritsmcLPqruphrI9.cs	High entropy of concatenated method names: 'vjcwRWJh5V', 'kwYwaqOPCh', 'SVwwM5edhX', 'VyuwjsKFSK', 'vj8wVHMxhS', 'F1RwqkDilY', 'VZHwdHrQY6', 'b7a08RMi3D', 'KXJ0IowrXB', 'CSg0Ly1KnF'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, SnhHkURaK2jqFElWlcH.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YIDNGpgSYc', 'acgNKTiU4l', 'nDANC649CX', 'I55NghHX9g', 'Rq0NXhSJ1A', 'Sk7Nrfmh69', 'Dh2N8g99Kv'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, byHySoMF6JLHiDjfPZ.cs	High entropy of concatenated method names: 'KnQResrBSg', 'N3QRno0N51', 'PXTRWMshgT', 'bgNR1qijO7', 'pXHR3KlBjW', 'cXNRShAj2H', 'bcNe1jaLp0W64hpfLE', 'cMOF26bRsGYalsTRTu', 'zcUZ6wWYdEshqnQul6', 'CZ8RR8uJ1J'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, xUCw0FQsWcnfHnSTnS.cs	High entropy of concatenated method names: 'vPrdfgoywY', 'Ex5d7VGPo3', 'ha5dThsfyu', 'oe8dpeAtIS', 'lcsdHYy9ws', 'BNudO0ElCn', 'vpjd9O5ZPJ', 'TGxdJhQDjC', 'nbdRJbU6OXpuWqhO0PD', 'JkKT5QUh8yijcLt7bfi'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, s24kBFIxawmUU9l1xn.cs	High entropy of concatenated method names: 'afq0jRv4lc', 'ICs0VZZYCS', 'tRu0iXEUKk', 'H7Q0q45riy', 'kl80dFlfIs', 'cLQ0el9Y1B', 'sIC0n63EYX', 'Has0cgRSYa', 'er50WIxtqZ', 'vwE01XcDgh'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, yU5KEJF70xMfmcjP8q.cs	High entropy of concatenated method names: 'EjKTAcgBb', 'LCVp4Egi3', 'NRuHgnnV3', 'RgSO8hsi7', 'Uib9vscQ4', 'YJDJMSfIx', 'PeMd6CM9xHKFNo6SWR', 'tixQJO55GLiOuDMwgc', 'ylm0GGWDy', 'ruYNxB95o'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, mJJyWXCb6eBlTHe34G.cs	High entropy of concatenated method names: 'ToString', 't6eSYPLIgL', 'CqASEkboXT', 'jGUShP6YlQ', 'RFnSQ2gYBH', 'TaDSsTEFG3', 'jnaSkroptZ', 'XIVSlooKF5', 'npOSu0gyGt', 'LfqSD8KqNt'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	High entropy of concatenated method names: 'UM6avkDbGX', 'aP6ajULk0G', 'cctaVckCda', 'xM6aiJtYpC', 'pa4aqxabv0', 'BbhadB06hA', 'bpAae5Vj44', 'q5ianuTNr7', 'mFAacQ0bYn', 'KpkaWE0RJs'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, vqAdFkVsmIvdbGhKcN.cs	High entropy of concatenated method names: 'Dispose', 'etpRLGShlP', 'tO4FEMBbZZ', 'QCrooccYu0', 'qw2Rm4kBFx', 'dwmRzUU9l1', 'ProcessDialogKey', 'onMFUJhKVC', 'aYsFRuOuhZ', 'MduFFFqrit'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, Cm8FLZ9XTMshgTFgNq.cs	High entropy of concatenated method names: 'WeZipWikWf', 'uftiHS3taC', 'dd5ioK04Os', 'VyHi9V8qi4', 'SYDi3D6Tii', 'TXPiSys0F1', 'mR7ibIDrJQ', 'c0Ii0xQJUw', 'g9riwOPSN4', 'v5JiNcdpVn'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, iVObXtlnbFlrH9KKul.cs	High entropy of concatenated method names: 'WIfejQc2Qe', 'XYMeiu3qOR', 'f4OedgXwrK', 'c81dmMPxQO', 'GeTdzQsViT', 'BKSeUpCVuZ', 'Yp8eRnfuZe', 'F7XeFEOgIs', 'BTFeanh6Qj', 'Cc7eMuIbrd'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, hjO7eeJY9rRrmSXHKl.cs	High entropy of concatenated method names: 'nJbq5DbIOL', 'sg2qOjMP3V', 'z5bih3cObD', 'JFRiQ4srpm', 'nqDisSxwuR', 'DfiikhgZ0N', 'A43iliTBuv', 'kggiuWX5rW', 'VO8iD9YJX2', 'g5FiBcaP5q'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, I9BEaHDjBuiveoxbwC.cs	High entropy of concatenated method names: 'ymke726t7f', 'IEte4rH2Fn', 'GQBeTiv3oS', 'I2yepgHQv2', 'fCNe5htfbg', 'CL6eHswx2h', 'bFQeOU6T6M', 'iUXeo1vT0e', 'MuSe9OgLME', 'p3FeJ3VvSy'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, NjWaXNyhAj2He4H1hT.cs	High entropy of concatenated method names: 'FCddv3r9lP', 'LA6dVajR6p', 's3NdqPbQPg', 'uyWdeyVrl1', 'Df6dnneM3X', 'fZvqXkWRbk', 'aaSqrhmd4q', 'JKBq8y8i7B', 'eEUqIDc9Tv', 'a0RqLmZeew'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, aIAuRbGwMKwUNVfnHA.cs	High entropy of concatenated method names: 'Opl3BuIKir', 'kot3ZOa7HN', 's673GmSGmp', 'wTW3K5bmXt', 'N4L3EEe47M', 'yAB3hMkAWb', 'fXK3Q5mnDl', 'GGg3sQQpy1', 'wHB3kbSra0', 'u2I3lYjenv'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, h4EeY2rXX6BSZ9dsKQ.cs	High entropy of concatenated method names: 'nUibIwEQFK', 'X7ebmQThBh', 'KiF0UOTWB8', 'hgI0RaeGW9', 'Q9CbYtgk4P', 'kYIbZKyv0F', 'Aykb2qeyKq', 'f8lbGbwRXM', 'NRebK19hMV', 'wxYbCJG5Vc'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, zRqnLAgxQJh6HpcqYM.cs	High entropy of concatenated method names: 'g3fbWNRwN5', 'mnQb1JlvVL', 'ToString', 'ifXbjmXDKa', 'YNqbVpkWve', 'maCbiArvc5', 'y4mbqviniH', 'YOKbdDwHE7', 'CWybeFclL0', 'JnTbnbO8oT'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, uGoTVARRlQyUPosZ5fO.cs	High entropy of concatenated method names: 'ToString', 'ynFNadrxq0', 'cclNMRkqhp', 'PZxNv5JYVJ', 'fnTNjZG0Db', 'oPUNVAEnSP', 'PtONiZPQtl', 'RQcNqywM4b', 'bXUu9M2ntMDq6qOUjaQ', 'vGQ5OL2JiyKT2avqX52'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, dJhKVCLRYsuOuhZDdu.cs	High entropy of concatenated method names: 'aE80yB6JGo', 'Xmb0ERjZLH', 'Neq0hrKQeN', 'FBx0QFMS5j', 'ktA0GtQbWf', 'Hck0sjW133', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, mFN9Pti7ykBxr7C8Rv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'yK8FLHKINM', 'qePFm0kCT3', 'QC3FzIQD1g', 'PtXaUtwTJ6', 'w9qaRRMsk0', 'XI8aFX4J3b', 'EUMaaHZ24e', 'ycCrusHBw5tbAYZ624T'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, fD2Zjy2djFNkjNbMfG.cs	High entropy of concatenated method names: 'bZ9xoGuIcN', 'Stpx9bkvQV', 'dGPxyF9Zru', 'Y9BxElxOGy', 'TboxQIWWN0', 'wg1xsXPWDs', 'fSMxlqxcVQ', 'K1yxuiSj9D', 'Ch4xBBtRbY', 'U4exYLQU0n'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, Mw637kRUJhKmvoClVm7.cs	High entropy of concatenated method names: 'pfjw7nfjvW', 'CPGw4aaDYM', 'fu8wTF7yK8', 'TEwwpWdR27', 'jg9w59BC7L', 'M0SwHT6IQA', 'yBSwOFMPRM', 'wpOwosJwVw', 'mF5w9kKyF1', 'INswJlwW14'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, IsrBSgoD3Qo0N51DT1.cs	High entropy of concatenated method names: 'gcyVGtuouC', 'LcHVKy6Ptv', 'ILdVCAf8QJ', 'kcMVgXwFHX', 'bMSVXW2cdF', 'PuOVrQtvAs', 'FKHV8fUJRi', 'VZnVIbgx3Y', 'IqUVLnywme', 'sRbVmiasQ3'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, cqritsmcLPqruphrI9.cs	High entropy of concatenated method names: 'vjcwRWJh5V', 'kwYwaqOPCh', 'SVwwM5edhX', 'VyuwjsKFSK', 'vj8wVHMxhS', 'F1RwqkDilY', 'VZHwdHrQY6', 'b7a08RMi3D', 'KXJ0IowrXB', 'CSg0Ly1KnF'
Source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, R87QTajabri3WprdxA.cs	High entropy of concatenated method names: 'SoFXXYTXBr', 'VXePqW7LxoGttIrQMM', 'VJKqh4rSy8UE5CPs2d', 'w7T6rNymrPsVe05ZjX', 'Qa5usbZfG', 'UsaN6r2JI', 'Dispose', 'xdE70OV1R', 'WKG8Nh2TLfQX7DMBJq', 'FCyDZoO16YhsTUYx7V'
Source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, I1Ds3abkUA5mh3kywv.cs	High entropy of concatenated method names: 'I6pnpGMEc', 'pUPSoKeTB', 'w3OonGh86', 'S3aaCOvyF', 'MagvcleIh', 'hvmph4XfL', 'eXtqEM8mO', 'RC38AH4Bb', 'hyVW2X9uL', 'AbHynsT40'
Source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	High entropy of concatenated method names: 'sRJJ4PC1lt6MgSX9oLN', 'qCuPUJCYMdGJYrcKdqj', 'T9OMNMJAsS', 'KH71sVC96gudd8OjhqS', 'qSoaq8CnboJYXbPCm1H', 'XtbiVDCeUWVlZdG2V08', 'D2TFRiCIaLSytg31rTE', 'MtxGm4CM57HGXUKQMIN', 'RgtTUJcyZL', 'eFmMT9Tlnp'
Source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, QEHxtuXFnnkJABhbAo.cs	High entropy of concatenated method names: 'Geosg7Hdn', 'wwIBOnTmd', 'siWV4YECO', 'k32FNitut', 'cUAG5mh3k', 'JwvHwu9Dw', 'cr1hyajqeLqaQ4F9dK', 'Pgut89mcfAIn6Hs5oN', 'Dispose', 'MoveNext'
Source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, R87QTajabri3WprdxA.cs	High entropy of concatenated method names: 'SoFXXYTXBr', 'VXePqW7LxoGttIrQMM', 'VJKqh4rSy8UE5CPs2d', 'w7T6rNymrPsVe05ZjX', 'Qa5usbZfG', 'UsaN6r2JI', 'Dispose', 'xdE70OV1R', 'WKG8Nh2TLfQX7DMBJq', 'FCyDZoO16YhsTUYx7V'
Source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, I1Ds3abkUA5mh3kywv.cs	High entropy of concatenated method names: 'I6pnpGMEc', 'pUPSoKeTB', 'w3OonGh86', 'S3aaCOvyF', 'MagvcleIh', 'hvmph4XfL', 'eXtqEM8mO', 'RC38AH4Bb', 'hyVW2X9uL', 'AbHynsT40'
Source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	High entropy of concatenated method names: 'sRJJ4PC1lt6MgSX9oLN', 'qCuPUJCYMdGJYrcKdqj', 'T9OMNMJAsS', 'KH71sVC96gudd8OjhqS', 'qSoaq8CnboJYXbPCm1H', 'XtbiVDCeUWVlZdG2V08', 'D2TFRiCIaLSytg31rTE', 'MtxGm4CM57HGXUKQMIN', 'RgtTUJcyZL', 'eFmMT9Tlnp'
Source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, QEHxtuXFnnkJABhbAo.cs	High entropy of concatenated method names: 'Geosg7Hdn', 'wwIBOnTmd', 'siWV4YECO', 'k32FNitut', 'cUAG5mh3k', 'JwvHwu9Dw', 'cr1hyajqeLqaQ4F9dK', 'Pgut89mcfAIn6Hs5oN', 'Dispose', 'MoveNext'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, SnhHkURaK2jqFElWlcH.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YIDNGpgSYc', 'acgNKTiU4l', 'nDANC649CX', 'I55NghHX9g', 'Rq0NXhSJ1A', 'Sk7Nrfmh69', 'Dh2N8g99Kv'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, byHySoMF6JLHiDjfPZ.cs	High entropy of concatenated method names: 'KnQResrBSg', 'N3QRno0N51', 'PXTRWMshgT', 'bgNR1qijO7', 'pXHR3KlBjW', 'cXNRShAj2H', 'bcNe1jaLp0W64hpfLE', 'cMOF26bRsGYalsTRTu', 'zcUZ6wWYdEshqnQul6', 'CZ8RR8uJ1J'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, xUCw0FQsWcnfHnSTnS.cs	High entropy of concatenated method names: 'vPrdfgoywY', 'Ex5d7VGPo3', 'ha5dThsfyu', 'oe8dpeAtIS', 'lcsdHYy9ws', 'BNudO0ElCn', 'vpjd9O5ZPJ', 'TGxdJhQDjC', 'nbdRJbU6OXpuWqhO0PD', 'JkKT5QUh8yijcLt7bfi'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, s24kBFIxawmUU9l1xn.cs	High entropy of concatenated method names: 'afq0jRv4lc', 'ICs0VZZYCS', 'tRu0iXEUKk', 'H7Q0q45riy', 'kl80dFlfIs', 'cLQ0el9Y1B', 'sIC0n63EYX', 'Has0cgRSYa', 'er50WIxtqZ', 'vwE01XcDgh'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, yU5KEJF70xMfmcjP8q.cs	High entropy of concatenated method names: 'EjKTAcgBb', 'LCVp4Egi3', 'NRuHgnnV3', 'RgSO8hsi7', 'Uib9vscQ4', 'YJDJMSfIx', 'PeMd6CM9xHKFNo6SWR', 'tixQJO55GLiOuDMwgc', 'ylm0GGWDy', 'ruYNxB95o'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, mJJyWXCb6eBlTHe34G.cs	High entropy of concatenated method names: 'ToString', 't6eSYPLIgL', 'CqASEkboXT', 'jGUShP6YlQ', 'RFnSQ2gYBH', 'TaDSsTEFG3', 'jnaSkroptZ', 'XIVSlooKF5', 'npOSu0gyGt', 'LfqSD8KqNt'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	High entropy of concatenated method names: 'UM6avkDbGX', 'aP6ajULk0G', 'cctaVckCda', 'xM6aiJtYpC', 'pa4aqxabv0', 'BbhadB06hA', 'bpAae5Vj44', 'q5ianuTNr7', 'mFAacQ0bYn', 'KpkaWE0RJs'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, vqAdFkVsmIvdbGhKcN.cs	High entropy of concatenated method names: 'Dispose', 'etpRLGShlP', 'tO4FEMBbZZ', 'QCrooccYu0', 'qw2Rm4kBFx', 'dwmRzUU9l1', 'ProcessDialogKey', 'onMFUJhKVC', 'aYsFRuOuhZ', 'MduFFFqrit'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, Cm8FLZ9XTMshgTFgNq.cs	High entropy of concatenated method names: 'WeZipWikWf', 'uftiHS3taC', 'dd5ioK04Os', 'VyHi9V8qi4', 'SYDi3D6Tii', 'TXPiSys0F1', 'mR7ibIDrJQ', 'c0Ii0xQJUw', 'g9riwOPSN4', 'v5JiNcdpVn'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, iVObXtlnbFlrH9KKul.cs	High entropy of concatenated method names: 'WIfejQc2Qe', 'XYMeiu3qOR', 'f4OedgXwrK', 'c81dmMPxQO', 'GeTdzQsViT', 'BKSeUpCVuZ', 'Yp8eRnfuZe', 'F7XeFEOgIs', 'BTFeanh6Qj', 'Cc7eMuIbrd'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, hjO7eeJY9rRrmSXHKl.cs	High entropy of concatenated method names: 'nJbq5DbIOL', 'sg2qOjMP3V', 'z5bih3cObD', 'JFRiQ4srpm', 'nqDisSxwuR', 'DfiikhgZ0N', 'A43iliTBuv', 'kggiuWX5rW', 'VO8iD9YJX2', 'g5FiBcaP5q'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, I9BEaHDjBuiveoxbwC.cs	High entropy of concatenated method names: 'ymke726t7f', 'IEte4rH2Fn', 'GQBeTiv3oS', 'I2yepgHQv2', 'fCNe5htfbg', 'CL6eHswx2h', 'bFQeOU6T6M', 'iUXeo1vT0e', 'MuSe9OgLME', 'p3FeJ3VvSy'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, NjWaXNyhAj2He4H1hT.cs	High entropy of concatenated method names: 'FCddv3r9lP', 'LA6dVajR6p', 's3NdqPbQPg', 'uyWdeyVrl1', 'Df6dnneM3X', 'fZvqXkWRbk', 'aaSqrhmd4q', 'JKBq8y8i7B', 'eEUqIDc9Tv', 'a0RqLmZeew'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, aIAuRbGwMKwUNVfnHA.cs	High entropy of concatenated method names: 'Opl3BuIKir', 'kot3ZOa7HN', 's673GmSGmp', 'wTW3K5bmXt', 'N4L3EEe47M', 'yAB3hMkAWb', 'fXK3Q5mnDl', 'GGg3sQQpy1', 'wHB3kbSra0', 'u2I3lYjenv'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, h4EeY2rXX6BSZ9dsKQ.cs	High entropy of concatenated method names: 'nUibIwEQFK', 'X7ebmQThBh', 'KiF0UOTWB8', 'hgI0RaeGW9', 'Q9CbYtgk4P', 'kYIbZKyv0F', 'Aykb2qeyKq', 'f8lbGbwRXM', 'NRebK19hMV', 'wxYbCJG5Vc'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, zRqnLAgxQJh6HpcqYM.cs	High entropy of concatenated method names: 'g3fbWNRwN5', 'mnQb1JlvVL', 'ToString', 'ifXbjmXDKa', 'YNqbVpkWve', 'maCbiArvc5', 'y4mbqviniH', 'YOKbdDwHE7', 'CWybeFclL0', 'JnTbnbO8oT'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, uGoTVARRlQyUPosZ5fO.cs	High entropy of concatenated method names: 'ToString', 'ynFNadrxq0', 'cclNMRkqhp', 'PZxNv5JYVJ', 'fnTNjZG0Db', 'oPUNVAEnSP', 'PtONiZPQtl', 'RQcNqywM4b', 'bXUu9M2ntMDq6qOUjaQ', 'vGQ5OL2JiyKT2avqX52'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, dJhKVCLRYsuOuhZDdu.cs	High entropy of concatenated method names: 'aE80yB6JGo', 'Xmb0ERjZLH', 'Neq0hrKQeN', 'FBx0QFMS5j', 'ktA0GtQbWf', 'Hck0sjW133', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, mFN9Pti7ykBxr7C8Rv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'yK8FLHKINM', 'qePFm0kCT3', 'QC3FzIQD1g', 'PtXaUtwTJ6', 'w9qaRRMsk0', 'XI8aFX4J3b', 'EUMaaHZ24e', 'ycCrusHBw5tbAYZ624T'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, fD2Zjy2djFNkjNbMfG.cs	High entropy of concatenated method names: 'bZ9xoGuIcN', 'Stpx9bkvQV', 'dGPxyF9Zru', 'Y9BxElxOGy', 'TboxQIWWN0', 'wg1xsXPWDs', 'fSMxlqxcVQ', 'K1yxuiSj9D', 'Ch4xBBtRbY', 'U4exYLQU0n'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, Mw637kRUJhKmvoClVm7.cs	High entropy of concatenated method names: 'pfjw7nfjvW', 'CPGw4aaDYM', 'fu8wTF7yK8', 'TEwwpWdR27', 'jg9w59BC7L', 'M0SwHT6IQA', 'yBSwOFMPRM', 'wpOwosJwVw', 'mF5w9kKyF1', 'INswJlwW14'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, IsrBSgoD3Qo0N51DT1.cs	High entropy of concatenated method names: 'gcyVGtuouC', 'LcHVKy6Ptv', 'ILdVCAf8QJ', 'kcMVgXwFHX', 'bMSVXW2cdF', 'PuOVrQtvAs', 'FKHV8fUJRi', 'VZnVIbgx3Y', 'IqUVLnywme', 'sRbVmiasQ3'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, cqritsmcLPqruphrI9.cs	High entropy of concatenated method names: 'vjcwRWJh5V', 'kwYwaqOPCh', 'SVwwM5edhX', 'VyuwjsKFSK', 'vj8wVHMxhS', 'F1RwqkDilY', 'VZHwdHrQY6', 'b7a08RMi3D', 'KXJ0IowrXB', 'CSg0Ly1KnF'

Persistence and Installation Behavior

Yara detected Neshta

Source: Yara match	File source: 3.2.Order 24007219.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Order 24007219.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1977733940.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2389620654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order 24007219.exe PID: 4028, type: MEMORYSTR

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\Order 24007219.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\Order 24007219.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\Order 24007219.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Boot Survival

Yara detected Neshta

Source: Yara match	File source: 3.2.Order 24007219.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Order 24007219.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1977733940.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2389620654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order 24007219.exe PID: 4028, type: MEMORYSTR

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\Order 24007219.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior

Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Order 24007219.exe PID: 5948, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: 920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: 25F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: 2440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: 4B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: 5B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: 5C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: 6C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: 9830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: A830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: ACC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: BCC0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Order 24007219.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Order 24007219.exe TID: 1896

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00405080 FindFirstFileA,FindNextFileA,FindClose,	3_2_00405080
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00405634 FindFirstFileA,FindNextFileA,FindClose,	3_2_00405634
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00404F6C FindFirstFileA,FindClose,	3_2_00404F6C
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,	3_2_004056A7

Source: C:\Users\user\Desktop\Order 24007219.exe

Code function: 3_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,

3_2_00406D40

Source: C:\Users\user\Desktop\Order 24007219.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior

Source: Order 24007219.exe, 00000003.00000002.2389955685.00000000014C4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: _VMware_

Source: C:\Users\user\Desktop\Order 24007219.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Order 24007219.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Source: C:\Users\user\Desktop\Order 24007219.exe

File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

Jump to dropped file

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Order 24007219.exe

Process created: C:\Users\user\Desktop\Order 24007219.exe "C:\Users\user\Desktop\Order 24007219.exe"

Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\Order 24007219.exe

Code function: GetLocaleInfoA,

3_2_00403CB4

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Order 24007219.exe	Queries volume information: C:\Users\user\Desktop\Order 24007219.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Order 24007219.exe

Code function: 3_2_004057D8 GetLocalTime,

3_2_004057D8

Source: C:\Users\user\Desktop\Order 24007219.exe

Code function: 3_2_00403D7D GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

3_2_00403D7D

Source: C:\Users\user\Desktop\Order 24007219.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order 24007219.exe PID: 5948, type: MEMORYSTR

Yara detected Neshta

Source: Yara match	File source: 3.2.Order 24007219.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Order 24007219.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1977733940.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2389620654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order 24007219.exe PID: 4028, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Order 24007219.exe.264b690.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.7370000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1982976345.0000000007370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1977733940.00000000025FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order 24007219.exe PID: 5948, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order 24007219.exe PID: 5948, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Order 24007219.exe.264b690.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.7370000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1982976345.0000000007370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1977733940.00000000025FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Order 24007219.exe

Avira: detected

Found malware configuration

Source: Order 24007219.exe.5948.0.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.toliddaru.ir", "Username": "phtd@toliddaru.ir", "Password": "Aa@1401"}

Multi AV Scanner detection for submitted file

Source: Order 24007219.exe	ReversingLabs: Detection: 57%
Source: Order 24007219.exe	Virustotal: Detection: 59%			Perma Link

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Order 24007219.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Order 24007219.exe

Unpacked PE file: 0.2.Order 24007219.exe.100000.0.unpack

Uses 32bit PE files

Source: Order 24007219.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Order 24007219.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe.3.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.3.dr
Source:	Binary string: NisSrv.pdb source: NisSrv.exe.3.dr
Source:	Binary string: mpextms.pdb source: mpextms.exe.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb source: OSPPREARM.EXE.3.dr
Source:	Binary string: MicrosoftEdgeUpdateBroker_unsigned.pdb source: MicrosoftEdgeUpdateBroker.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.3.dr
Source:	Binary string: osppsvc.pdb source: OSPPSVC.EXE.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdb source: msedge_proxy.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\msohtmed.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSOHTMED.EXE0.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController64.exe.3.dr
Source:	Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdateOnDemand.exe.3.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdb source: MicrosoftEdgeComRegisterShellARM64.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdbOGP source: msedge.exe0.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdbOGP source: msedge_proxy.exe.3.dr
Source:	Binary string: D:\a\_work\1\s\bin\x86\Release\Product\Binaries\Client\bin\Microsoft.Mashup.Container.Loader.pdb source: Microsoft.Mashup.Container.Loader.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\msohtmed.pdb source: MSOHTMED.EXE0.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdbbroker.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OfficeScrSanBroker.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdb source: msedge.exe0.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdb source: OfficeScrSanBroker.exe.3.dr
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: chrome.exe.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: Integrator.exe.3.dr
Source:	Binary string: r.pdb source: AppSharingHookController64.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController64.exe.3.dr
Source:	Binary string: MsMpEng.pdbGCTL source: MsMpEng.exe.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: Integrator.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoadfsb.pdbdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoadfsb.exe.3.dr
Source:	Binary string: mi_exe_stub.pdb source: MicrosoftEdgeUpdateSetup.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.3.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.3.dr
Source:	Binary string: GoogleUpdate_unsigned.pdb source: GoogleUpdate.exe.3.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdbh source: MicrosoftEdgeComRegisterShellARM64.exe.3.dr
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe.3.dr, MpCmdRun.exe0.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb source: LICLUA.EXE.3.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb+ source: ai.exe.3.dr
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe.3.dr, MpCmdRun.exe0.3.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\outlook\x-none\olcfg.pdb source: OLCFG.EXE.3.dr
Source:	Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.3.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.3.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb source: ai.exe.3.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.3.dr
Source:	Binary string: lper.pdb source: SDXHelper.exe.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: LICLUA.EXE.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OSPPREARM.EXE.3.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.3.dr
Source:	Binary string: NisSrv.pdbGCTL source: NisSrv.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.3.dr
Source:	Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.3.dr
Source:	Binary string: MsMpEng.pdb source: MsMpEng.exe.3.dr
Source:	Binary string: mpextms.pdbGCTL source: mpextms.exe.3.dr
Source:	Binary string: broker.pdb source: OfficeScrSanBroker.exe.3.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: javaw.exe.3.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\outlook\x-none\olcfg.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OLCFG.EXE.3.dr
Source:	Binary string: D:\a\_work\1\s\bin\x86\Release\Product\Binaries\Client\bin\Microsoft.Mashup.Container.Loader.pdb.. source: Microsoft.Mashup.Container.Loader.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoadfsb.pdb source: msoadfsb.exe.3.dr

Spreading

Yara detected Neshta

Source: Yara match	File source: 3.2.Order 24007219.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Order 24007219.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1977733940.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2389620654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order 24007219.exe PID: 4028, type: MEMORYSTR

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00405080 FindFirstFileA,FindNextFileA,FindClose,	3_2_00405080
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00405634 FindFirstFileA,FindNextFileA,FindClose,	3_2_00405634
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00404F6C FindFirstFileA,FindClose,	3_2_00404F6C
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,	3_2_004056A7

Source: C:\Users\user\Desktop\Order 24007219.exe

Code function: 3_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,

3_2_00406D40

Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 4x nop then jmp 07455D3Ah	0_2_0745533C
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 4x nop then jmp 07455D3Ah	0_2_07455641
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 4x nop then xor edx, edx	0_2_08CD90C0
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_08CD6990
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_08CD8E68
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_08CD8E68
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_08CD9188
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_08CD9188

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE

Source: Integrator.exe.3.dr	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: OfficeScrSanBroker.exe.3.dr	String found in binary or memory: http://SoftwareMicrosoft16.0CommonDebugHKEY_LOCAL_MACHINEHKEY_CURRENT_USER
Source: msoadfsb.exe.3.dr	String found in binary or memory: http://aka.ms/sdxdebug
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Au3Check.exe.3.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Au3Check.exe.3.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Au3Check.exe.3.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Au3Check.exe.3.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Au3Check.exe.3.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: armsvc.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: armsvc.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: jusched.exe.3.dr	String found in binary or memory: http://es5.github.io/#x15.4.4.21
Source: MSOHTMED.EXE0.3.dr	String found in binary or memory: http://https://ftp://.htmlGot
Source: Order 24007219.exe, 00000003.00000002.2389737039.00000000012F0000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Au3Check.exe.3.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Au3Check.exe.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Au3Check.exe.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Au3Check.exe.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Au3Check.exe.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Au3Check.exe.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: jusched.exe.3.dr	String found in binary or memory: http://stackoverflow.com/a/1465386/4224163
Source: jusched.exe.3.dr	String found in binary or memory: http://stackoverflow.com/a/15123777)
Source: jusched.exe.3.dr	String found in binary or memory: http://stackoverflow.com/questions/1026069/capitalize-the-first-letter-of-string-in-javascript
Source: jusched.exe.3.dr	String found in binary or memory: http://stackoverflow.com/questions/1068834/object-comparison-in-javascript
Source: jusched.exe.3.dr	String found in binary or memory: http://www.computerhope.com/forum/index.php?topic=76293.0
Source: javaw.exe.3.dr, GoogleUpdateOnDemand.exe.3.dr, ssvagent.exe.3.dr, GoogleUpdate.exe.3.dr, armsvc.exe.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: jusched.exe.3.dr	String found in binary or memory: http://www.tutorialspoint.com/javascript/array_map.htm
Source: Order 24007219.exe, 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: msedge.exe0.3.dr	String found in binary or memory: https://crashpad.chromium.org/
Source: msedge.exe0.3.dr	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: msedge.exe0.3.dr	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: jusched.exe.3.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/Reduce
Source: jusched.exe.3.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/filter
Source: jusched.exe.3.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/indexOf
Source: jusched.exe.3.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/Trim
Source: jusched.exe.3.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith
Source: jusched.exe.3.dr	String found in binary or memory: https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith
Source: msedge.exe0.3.dr, msedge_proxy.exe.3.dr, identity_helper.exe.3.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: msedge.exe0.3.dr, msedge_proxy.exe.3.dr, identity_helper.exe.3.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: jusched.exe.3.dr	String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-%s.xml
Source: jusched.exe.3.dr	String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xml
Source: jusched.exe.3.dr	String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xmlhttps://javadl-esd-secure.oracle.com/upda
Source: Integrator.exe.3.dr	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: Integrator.exe.3.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: NisSrv.exe.3.dr	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: NisSrv.exe.3.dr	String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: NisSrv.exe.3.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: Au3Check.exe.3.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Au3Check.exe.3.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Installs a raw input device (often for capturing keystrokes)

Source: OfficeScrSanBroker.exe.3.dr

Binary or memory string: RegisterRawInputDevices

memstr_64e62b24-2

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.Order 24007219.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Neshta Author: ditekSHen
Source: 3.2.Order 24007219.exe.40a698.0.unpack, type: UNPACKEDPE	Matched rule: Detects Neshta Author: ditekSHen
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Neshta Author: ditekSHen
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Neshta Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Order 24007219.exe

Creates files inside the system directory

Source: C:\Users\user\Desktop\Order 24007219.exe

File created: C:\Windows\svchost.com

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_024013D0	0_2_024013D0
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_024033F8	0_2_024033F8
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02401B90	0_2_02401B90
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02400878	0_2_02400878
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02402549	0_2_02402549
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02405A4A	0_2_02405A4A
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02404279	0_2_02404279
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_024032E9	0_2_024032E9
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02404288	0_2_02404288
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02403310	0_2_02403310
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_0240133E	0_2_0240133E
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02405881	0_2_02405881
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02405890	0_2_02405890
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_0240EE58	0_2_0240EE58
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02405620	0_2_02405620
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02405630	0_2_02405630
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02405440	0_2_02405440
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02405430	0_2_02405430
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_07456B88	0_2_07456B88
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_07453610	0_2_07453610
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_07451061	0_2_07451061
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_07451070	0_2_07451070
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_07450C38	0_2_07450C38
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_074514A8	0_2_074514A8
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_074530B0	0_2_074530B0
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CDA910	0_2_08CDA910
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CDACB8	0_2_08CDACB8
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CD0040	0_2_08CD0040
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CD9868	0_2_08CD9868
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CD0006	0_2_08CD0006
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CD7400	0_2_08CD7400
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CD7410	0_2_08CD7410
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CD56E9	0_2_08CD56E9
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CD9E68	0_2_08CD9E68

PE file does not import any functions

Source: msoasb.exe.3.dr	Static PE information: No import functions for PE file found
Source: ai.exe.3.dr	Static PE information: No import functions for PE file found
Source: mpextms.exe.3.dr	Static PE information: No import functions for PE file found
Source: filecompare.exe.3.dr	Static PE information: No import functions for PE file found
Source: chrome.exe.3.dr	Static PE information: No import functions for PE file found
Source: MsMpEng.exe.3.dr	Static PE information: No import functions for PE file found
Source: IEContentService.exe.3.dr	Static PE information: No import functions for PE file found
Source: integrator.exe.3.dr	Static PE information: No import functions for PE file found
Source: VC_redist.x64.exe.3.dr	Static PE information: No import functions for PE file found
Source: msoadfsb.exe.3.dr	Static PE information: No import functions for PE file found
Source: ConfigSecurityPolicy.exe.3.dr	Static PE information: No import functions for PE file found
Source: PerfBoost.exe.3.dr	Static PE information: No import functions for PE file found
Source: MpDlpCmd.exe.3.dr	Static PE information: No import functions for PE file found
Source: misc.exe.3.dr	Static PE information: No import functions for PE file found
Source: msoev.exe.3.dr	Static PE information: No import functions for PE file found
Source: lync99.exe.3.dr	Static PE information: No import functions for PE file found
Source: SDXHelper.exe.3.dr	Static PE information: No import functions for PE file found
Source: MpCmdRun.exe0.3.dr	Static PE information: No import functions for PE file found
Source: MpCmdRun.exe.3.dr	Static PE information: No import functions for PE file found
Source: aimgr.exe.3.dr	Static PE information: No import functions for PE file found
Source: MpCopyAccelerator.exe.3.dr	Static PE information: No import functions for PE file found
Source: NisSrv.exe.3.dr	Static PE information: No import functions for PE file found
Source: UcMapi.exe.3.dr	Static PE information: No import functions for PE file found
Source: Wordconv.exe.3.dr	Static PE information: No import functions for PE file found

PE file overlay found

Source: msoasb.exe.3.dr	Static PE information: Data appended to the last section found
Source: ai.exe.3.dr	Static PE information: Data appended to the last section found
Source: filecompare.exe.3.dr	Static PE information: Data appended to the last section found
Source: chrome.exe.3.dr	Static PE information: Data appended to the last section found
Source: MsMpEng.exe.3.dr	Static PE information: Data appended to the last section found
Source: IEContentService.exe.3.dr	Static PE information: Data appended to the last section found
Source: VC_redist.x64.exe.3.dr	Static PE information: Data appended to the last section found
Source: ConfigSecurityPolicy.exe.3.dr	Static PE information: Data appended to the last section found
Source: PerfBoost.exe.3.dr	Static PE information: Data appended to the last section found
Source: MpDlpCmd.exe.3.dr	Static PE information: Data appended to the last section found
Source: msoev.exe.3.dr	Static PE information: Data appended to the last section found
Source: lync99.exe.3.dr	Static PE information: Data appended to the last section found
Source: SDXHelper.exe.3.dr	Static PE information: Data appended to the last section found
Source: aimgr.exe.3.dr	Static PE information: Data appended to the last section found
Source: MpCopyAccelerator.exe.3.dr	Static PE information: Data appended to the last section found
Source: Wordconv.exe.3.dr	Static PE information: Data appended to the last section found

Sample file is different than original file name gathered from version info

Source: Order 24007219.exe, 00000000.00000002.1983313326.0000000008F20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Order 24007219.exe
Source: Order 24007219.exe, 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Order 24007219.exe
Source: Order 24007219.exe, 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename76efe27d-13bf-4b49-bffa-4e8ceb2fcd72.exe4 vs Order 24007219.exe
Source: Order 24007219.exe, 00000000.00000002.1975425465.000000000078E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Order 24007219.exe
Source: Order 24007219.exe	Binary or memory string: OriginalFilenameEEHT.exe" vs Order 24007219.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Section loaded: coremessaging.dll	Jump to behavior

Uses 32bit PE files

Source: Order 24007219.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 3.2.Order 24007219.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: 3.2.Order 24007219.exe.40a698.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta

Source: Order 24007219.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, IsrBSgoD3Qo0N51DT1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, IsrBSgoD3Qo0N51DT1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, IsrBSgoD3Qo0N51DT1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	Security API names: _0020.AddAccessRule

Source: 0.2.Order 24007219.exe.2687118.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Order 24007219.exe.7250000.9.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.Order 24007219.exe.2667f40.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: MpCmdRun.exe0.3.dr	Binary string: IdImageFileNameFirst Resource TypeTypeScan SourceFirst Resource PathEngineIdResource CountReasonProcessMessagePIDStartStopDataIsSignedFile\Device\\\?\\FI_UNKNOWN\drivers\error: invalid data: System Windows path changed during the trace from "%ls" to "%ls"
Source: msedge.exe0.3.dr	Binary string: @g_interceptionsntdll.dllg_originals\Device\\/?/?\\??\ntdll.dllRtlInitUnicodeStringntdll.dll\KnownDllsDeriveRestrictedAppContainerSidFromAppContainerSidAndRestrictedNameuserenvchromeInstallFileslpacChromeInstallFilesmediaFoundationCdmFileslpacMediaFoundationCdmDatalpacEdgeWdagCommslpacChromeNetworkSandboxKeyg_handles_to_close
Source: OfficeScrSanBroker.exe.3.dr	Binary string: \Device\Afd\WepollNtCreateFilentdll.dllNtReleaseKeyedEventRtlNtStatusToDosErrorNtDeviceIoControlFileNtWaitForKeyedEventNtCreateKeyedEventwsipcudptcppipe_ != NULLopensource\libzmq\src\channel.cpp%s (%s:%d)
Source: msedge.exe0.3.dr	Binary string: \\.\\Device\DeviceApi\Device\DeviceApi\CMApintdll.dllHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXTHKEY_CURRENT_CONFIGHKEY_DYN_DATA\Device\\Device\HarddiskVolume

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@4/156@0/0

Source: C:\Users\user\Desktop\Order 24007219.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order 24007219.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Order 24007219.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Order 24007219.exe

File created: C:\Users\user\AppData\Local\Temp\3582-490

Jump to behavior

Source: Order 24007219.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Order 24007219.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Order 24007219.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Order 24007219.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Integrator.exe.3.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Integrator.exe.3.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Integrator.exe.3.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Integrator.exe.3.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Order 24007219.exe, 00000000.00000002.1977733940.00000000025FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT e.id_empleado AS ID, e.nombre AS NOMBRE, e.apellido AS APELLIDO, e.email AS CORREO, e.telefono AS TELEFONO, t.tipo AS CARGO FROM empleados e INNER JOIN tipo_empleados t ON e.id_tipo_empleado=t.id_tipo_empleado;

Source: Order 24007219.exe	ReversingLabs: Detection: 57%
Source: Order 24007219.exe	Virustotal: Detection: 59%

Source: C:\Users\user\Desktop\Order 24007219.exe

File read: C:\Users\user\Desktop\Order 24007219.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Order 24007219.exe "C:\Users\user\Desktop\Order 24007219.exe"
Source: C:\Users\user\Desktop\Order 24007219.exe	Process created: C:\Users\user\Desktop\Order 24007219.exe "C:\Users\user\Desktop\Order 24007219.exe"
Source: C:\Users\user\Desktop\Order 24007219.exe	Process created: C:\Users\user\Desktop\Order 24007219.exe "C:\Users\user\Desktop\Order 24007219.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Order 24007219.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Order 24007219.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Order 24007219.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Order 24007219.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe.3.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.3.dr
Source:	Binary string: NisSrv.pdb source: NisSrv.exe.3.dr
Source:	Binary string: mpextms.pdb source: mpextms.exe.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb source: OSPPREARM.EXE.3.dr
Source:	Binary string: MicrosoftEdgeUpdateBroker_unsigned.pdb source: MicrosoftEdgeUpdateBroker.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.3.dr
Source:	Binary string: osppsvc.pdb source: OSPPSVC.EXE.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdb source: msedge_proxy.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\msohtmed.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSOHTMED.EXE0.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController64.exe.3.dr
Source:	Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdateOnDemand.exe.3.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdb source: MicrosoftEdgeComRegisterShellARM64.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdbOGP source: msedge.exe0.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdbOGP source: msedge_proxy.exe.3.dr
Source:	Binary string: D:\a\_work\1\s\bin\x86\Release\Product\Binaries\Client\bin\Microsoft.Mashup.Container.Loader.pdb source: Microsoft.Mashup.Container.Loader.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\msohtmed.pdb source: MSOHTMED.EXE0.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdbbroker.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OfficeScrSanBroker.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdb source: msedge.exe0.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdb source: OfficeScrSanBroker.exe.3.dr
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: chrome.exe.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: Integrator.exe.3.dr
Source:	Binary string: r.pdb source: AppSharingHookController64.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController64.exe.3.dr
Source:	Binary string: MsMpEng.pdbGCTL source: MsMpEng.exe.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: Integrator.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoadfsb.pdbdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoadfsb.exe.3.dr
Source:	Binary string: mi_exe_stub.pdb source: MicrosoftEdgeUpdateSetup.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.3.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.3.dr
Source:	Binary string: GoogleUpdate_unsigned.pdb source: GoogleUpdate.exe.3.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdbh source: MicrosoftEdgeComRegisterShellARM64.exe.3.dr
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe.3.dr, MpCmdRun.exe0.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb source: LICLUA.EXE.3.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb+ source: ai.exe.3.dr
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe.3.dr, MpCmdRun.exe0.3.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\outlook\x-none\olcfg.pdb source: OLCFG.EXE.3.dr
Source:	Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.3.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.3.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb source: ai.exe.3.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.3.dr
Source:	Binary string: lper.pdb source: SDXHelper.exe.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: LICLUA.EXE.3.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OSPPREARM.EXE.3.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.3.dr
Source:	Binary string: NisSrv.pdbGCTL source: NisSrv.exe.3.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.3.dr
Source:	Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.3.dr
Source:	Binary string: MsMpEng.pdb source: MsMpEng.exe.3.dr
Source:	Binary string: mpextms.pdbGCTL source: mpextms.exe.3.dr
Source:	Binary string: broker.pdb source: OfficeScrSanBroker.exe.3.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: javaw.exe.3.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\outlook\x-none\olcfg.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OLCFG.EXE.3.dr
Source:	Binary string: D:\a\_work\1\s\bin\x86\Release\Product\Binaries\Client\bin\Microsoft.Mashup.Container.Loader.pdb.. source: Microsoft.Mashup.Container.Loader.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoadfsb.pdb source: msoadfsb.exe.3.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Order 24007219.exe

Unpacked PE file: 0.2.Order 24007219.exe.100000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\Order 24007219.exe

Unpacked PE file: 0.2.Order 24007219.exe.100000.0.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	.Net Code: b7IMTZAqZX System.Reflection.Assembly.Load(byte[])
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	.Net Code: b7IMTZAqZX System.Reflection.Assembly.Load(byte[])
Source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, I1Ds3abkUA5mh3kywv.cs	.Net Code: hyVW2X9uL System.Reflection.Assembly.Load(byte[])
Source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, I1Ds3abkUA5mh3kywv.cs	.Net Code: hyVW2X9uL System.Reflection.Assembly.Load(byte[])
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	.Net Code: b7IMTZAqZX System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_02406ECB push ebp; retf	0_2_02406ECE
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 0_2_08CD3644 push cs; retf	0_2_08CD3647
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_0040802C push 00408052h; ret	3_2_0040804A
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_004070A4 push 004070D0h; ret	3_2_004070C8
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_004041D8 push 00404204h; ret	3_2_004041FC
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_004041A0 push 004041CCh; ret	3_2_004041C4
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00404256 push 00404284h; ret	3_2_0040427C
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00404258 push 00404284h; ret	3_2_0040427C
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00404210 push 0040423Ch; ret	3_2_00404234
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_004042C8 push 004042F4h; ret	3_2_004042EC
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_0040BA86 push ebp; retf	3_2_0040BAA6
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00404290 push 004042BCh; ret	3_2_004042B4
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00404370 push 0040439Ch; ret	3_2_00404394
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00404300 push 0040432Ch; ret	3_2_00404324
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00404338 push 00404364h; ret	3_2_0040435C
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_004043E0 push 0040440Ch; ret	3_2_00404404
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_004043A8 push 004043D4h; ret	3_2_004043CC
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00406CE0 push 00406D36h; ret	3_2_00406D2E
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00403D28 push 00403D79h; ret	3_2_00403D71
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00403F58 push 00403F84h; ret	3_2_00403F7C
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00403F90 push 00403FBCh; ret	3_2_00403FB4

Source: Order 24007219.exe	Static PE information: section name: .text entropy: 7.905740093495377
Source: VC_redist.x64.exe.3.dr	Static PE information: section name: .text entropy: 7.2127684610603096
Source: chrome.exe.3.dr	Static PE information: section name: .text entropy: 6.832889069116846

Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, SnhHkURaK2jqFElWlcH.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YIDNGpgSYc', 'acgNKTiU4l', 'nDANC649CX', 'I55NghHX9g', 'Rq0NXhSJ1A', 'Sk7Nrfmh69', 'Dh2N8g99Kv'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, byHySoMF6JLHiDjfPZ.cs	High entropy of concatenated method names: 'KnQResrBSg', 'N3QRno0N51', 'PXTRWMshgT', 'bgNR1qijO7', 'pXHR3KlBjW', 'cXNRShAj2H', 'bcNe1jaLp0W64hpfLE', 'cMOF26bRsGYalsTRTu', 'zcUZ6wWYdEshqnQul6', 'CZ8RR8uJ1J'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, xUCw0FQsWcnfHnSTnS.cs	High entropy of concatenated method names: 'vPrdfgoywY', 'Ex5d7VGPo3', 'ha5dThsfyu', 'oe8dpeAtIS', 'lcsdHYy9ws', 'BNudO0ElCn', 'vpjd9O5ZPJ', 'TGxdJhQDjC', 'nbdRJbU6OXpuWqhO0PD', 'JkKT5QUh8yijcLt7bfi'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, s24kBFIxawmUU9l1xn.cs	High entropy of concatenated method names: 'afq0jRv4lc', 'ICs0VZZYCS', 'tRu0iXEUKk', 'H7Q0q45riy', 'kl80dFlfIs', 'cLQ0el9Y1B', 'sIC0n63EYX', 'Has0cgRSYa', 'er50WIxtqZ', 'vwE01XcDgh'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, yU5KEJF70xMfmcjP8q.cs	High entropy of concatenated method names: 'EjKTAcgBb', 'LCVp4Egi3', 'NRuHgnnV3', 'RgSO8hsi7', 'Uib9vscQ4', 'YJDJMSfIx', 'PeMd6CM9xHKFNo6SWR', 'tixQJO55GLiOuDMwgc', 'ylm0GGWDy', 'ruYNxB95o'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, mJJyWXCb6eBlTHe34G.cs	High entropy of concatenated method names: 'ToString', 't6eSYPLIgL', 'CqASEkboXT', 'jGUShP6YlQ', 'RFnSQ2gYBH', 'TaDSsTEFG3', 'jnaSkroptZ', 'XIVSlooKF5', 'npOSu0gyGt', 'LfqSD8KqNt'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	High entropy of concatenated method names: 'UM6avkDbGX', 'aP6ajULk0G', 'cctaVckCda', 'xM6aiJtYpC', 'pa4aqxabv0', 'BbhadB06hA', 'bpAae5Vj44', 'q5ianuTNr7', 'mFAacQ0bYn', 'KpkaWE0RJs'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, vqAdFkVsmIvdbGhKcN.cs	High entropy of concatenated method names: 'Dispose', 'etpRLGShlP', 'tO4FEMBbZZ', 'QCrooccYu0', 'qw2Rm4kBFx', 'dwmRzUU9l1', 'ProcessDialogKey', 'onMFUJhKVC', 'aYsFRuOuhZ', 'MduFFFqrit'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, Cm8FLZ9XTMshgTFgNq.cs	High entropy of concatenated method names: 'WeZipWikWf', 'uftiHS3taC', 'dd5ioK04Os', 'VyHi9V8qi4', 'SYDi3D6Tii', 'TXPiSys0F1', 'mR7ibIDrJQ', 'c0Ii0xQJUw', 'g9riwOPSN4', 'v5JiNcdpVn'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, iVObXtlnbFlrH9KKul.cs	High entropy of concatenated method names: 'WIfejQc2Qe', 'XYMeiu3qOR', 'f4OedgXwrK', 'c81dmMPxQO', 'GeTdzQsViT', 'BKSeUpCVuZ', 'Yp8eRnfuZe', 'F7XeFEOgIs', 'BTFeanh6Qj', 'Cc7eMuIbrd'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, hjO7eeJY9rRrmSXHKl.cs	High entropy of concatenated method names: 'nJbq5DbIOL', 'sg2qOjMP3V', 'z5bih3cObD', 'JFRiQ4srpm', 'nqDisSxwuR', 'DfiikhgZ0N', 'A43iliTBuv', 'kggiuWX5rW', 'VO8iD9YJX2', 'g5FiBcaP5q'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, I9BEaHDjBuiveoxbwC.cs	High entropy of concatenated method names: 'ymke726t7f', 'IEte4rH2Fn', 'GQBeTiv3oS', 'I2yepgHQv2', 'fCNe5htfbg', 'CL6eHswx2h', 'bFQeOU6T6M', 'iUXeo1vT0e', 'MuSe9OgLME', 'p3FeJ3VvSy'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, NjWaXNyhAj2He4H1hT.cs	High entropy of concatenated method names: 'FCddv3r9lP', 'LA6dVajR6p', 's3NdqPbQPg', 'uyWdeyVrl1', 'Df6dnneM3X', 'fZvqXkWRbk', 'aaSqrhmd4q', 'JKBq8y8i7B', 'eEUqIDc9Tv', 'a0RqLmZeew'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, aIAuRbGwMKwUNVfnHA.cs	High entropy of concatenated method names: 'Opl3BuIKir', 'kot3ZOa7HN', 's673GmSGmp', 'wTW3K5bmXt', 'N4L3EEe47M', 'yAB3hMkAWb', 'fXK3Q5mnDl', 'GGg3sQQpy1', 'wHB3kbSra0', 'u2I3lYjenv'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, h4EeY2rXX6BSZ9dsKQ.cs	High entropy of concatenated method names: 'nUibIwEQFK', 'X7ebmQThBh', 'KiF0UOTWB8', 'hgI0RaeGW9', 'Q9CbYtgk4P', 'kYIbZKyv0F', 'Aykb2qeyKq', 'f8lbGbwRXM', 'NRebK19hMV', 'wxYbCJG5Vc'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, zRqnLAgxQJh6HpcqYM.cs	High entropy of concatenated method names: 'g3fbWNRwN5', 'mnQb1JlvVL', 'ToString', 'ifXbjmXDKa', 'YNqbVpkWve', 'maCbiArvc5', 'y4mbqviniH', 'YOKbdDwHE7', 'CWybeFclL0', 'JnTbnbO8oT'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, uGoTVARRlQyUPosZ5fO.cs	High entropy of concatenated method names: 'ToString', 'ynFNadrxq0', 'cclNMRkqhp', 'PZxNv5JYVJ', 'fnTNjZG0Db', 'oPUNVAEnSP', 'PtONiZPQtl', 'RQcNqywM4b', 'bXUu9M2ntMDq6qOUjaQ', 'vGQ5OL2JiyKT2avqX52'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, dJhKVCLRYsuOuhZDdu.cs	High entropy of concatenated method names: 'aE80yB6JGo', 'Xmb0ERjZLH', 'Neq0hrKQeN', 'FBx0QFMS5j', 'ktA0GtQbWf', 'Hck0sjW133', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, mFN9Pti7ykBxr7C8Rv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'yK8FLHKINM', 'qePFm0kCT3', 'QC3FzIQD1g', 'PtXaUtwTJ6', 'w9qaRRMsk0', 'XI8aFX4J3b', 'EUMaaHZ24e', 'ycCrusHBw5tbAYZ624T'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, fD2Zjy2djFNkjNbMfG.cs	High entropy of concatenated method names: 'bZ9xoGuIcN', 'Stpx9bkvQV', 'dGPxyF9Zru', 'Y9BxElxOGy', 'TboxQIWWN0', 'wg1xsXPWDs', 'fSMxlqxcVQ', 'K1yxuiSj9D', 'Ch4xBBtRbY', 'U4exYLQU0n'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, Mw637kRUJhKmvoClVm7.cs	High entropy of concatenated method names: 'pfjw7nfjvW', 'CPGw4aaDYM', 'fu8wTF7yK8', 'TEwwpWdR27', 'jg9w59BC7L', 'M0SwHT6IQA', 'yBSwOFMPRM', 'wpOwosJwVw', 'mF5w9kKyF1', 'INswJlwW14'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, IsrBSgoD3Qo0N51DT1.cs	High entropy of concatenated method names: 'gcyVGtuouC', 'LcHVKy6Ptv', 'ILdVCAf8QJ', 'kcMVgXwFHX', 'bMSVXW2cdF', 'PuOVrQtvAs', 'FKHV8fUJRi', 'VZnVIbgx3Y', 'IqUVLnywme', 'sRbVmiasQ3'
Source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, cqritsmcLPqruphrI9.cs	High entropy of concatenated method names: 'vjcwRWJh5V', 'kwYwaqOPCh', 'SVwwM5edhX', 'VyuwjsKFSK', 'vj8wVHMxhS', 'F1RwqkDilY', 'VZHwdHrQY6', 'b7a08RMi3D', 'KXJ0IowrXB', 'CSg0Ly1KnF'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, SnhHkURaK2jqFElWlcH.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YIDNGpgSYc', 'acgNKTiU4l', 'nDANC649CX', 'I55NghHX9g', 'Rq0NXhSJ1A', 'Sk7Nrfmh69', 'Dh2N8g99Kv'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, byHySoMF6JLHiDjfPZ.cs	High entropy of concatenated method names: 'KnQResrBSg', 'N3QRno0N51', 'PXTRWMshgT', 'bgNR1qijO7', 'pXHR3KlBjW', 'cXNRShAj2H', 'bcNe1jaLp0W64hpfLE', 'cMOF26bRsGYalsTRTu', 'zcUZ6wWYdEshqnQul6', 'CZ8RR8uJ1J'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, xUCw0FQsWcnfHnSTnS.cs	High entropy of concatenated method names: 'vPrdfgoywY', 'Ex5d7VGPo3', 'ha5dThsfyu', 'oe8dpeAtIS', 'lcsdHYy9ws', 'BNudO0ElCn', 'vpjd9O5ZPJ', 'TGxdJhQDjC', 'nbdRJbU6OXpuWqhO0PD', 'JkKT5QUh8yijcLt7bfi'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, s24kBFIxawmUU9l1xn.cs	High entropy of concatenated method names: 'afq0jRv4lc', 'ICs0VZZYCS', 'tRu0iXEUKk', 'H7Q0q45riy', 'kl80dFlfIs', 'cLQ0el9Y1B', 'sIC0n63EYX', 'Has0cgRSYa', 'er50WIxtqZ', 'vwE01XcDgh'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, yU5KEJF70xMfmcjP8q.cs	High entropy of concatenated method names: 'EjKTAcgBb', 'LCVp4Egi3', 'NRuHgnnV3', 'RgSO8hsi7', 'Uib9vscQ4', 'YJDJMSfIx', 'PeMd6CM9xHKFNo6SWR', 'tixQJO55GLiOuDMwgc', 'ylm0GGWDy', 'ruYNxB95o'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, mJJyWXCb6eBlTHe34G.cs	High entropy of concatenated method names: 'ToString', 't6eSYPLIgL', 'CqASEkboXT', 'jGUShP6YlQ', 'RFnSQ2gYBH', 'TaDSsTEFG3', 'jnaSkroptZ', 'XIVSlooKF5', 'npOSu0gyGt', 'LfqSD8KqNt'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	High entropy of concatenated method names: 'UM6avkDbGX', 'aP6ajULk0G', 'cctaVckCda', 'xM6aiJtYpC', 'pa4aqxabv0', 'BbhadB06hA', 'bpAae5Vj44', 'q5ianuTNr7', 'mFAacQ0bYn', 'KpkaWE0RJs'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, vqAdFkVsmIvdbGhKcN.cs	High entropy of concatenated method names: 'Dispose', 'etpRLGShlP', 'tO4FEMBbZZ', 'QCrooccYu0', 'qw2Rm4kBFx', 'dwmRzUU9l1', 'ProcessDialogKey', 'onMFUJhKVC', 'aYsFRuOuhZ', 'MduFFFqrit'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, Cm8FLZ9XTMshgTFgNq.cs	High entropy of concatenated method names: 'WeZipWikWf', 'uftiHS3taC', 'dd5ioK04Os', 'VyHi9V8qi4', 'SYDi3D6Tii', 'TXPiSys0F1', 'mR7ibIDrJQ', 'c0Ii0xQJUw', 'g9riwOPSN4', 'v5JiNcdpVn'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, iVObXtlnbFlrH9KKul.cs	High entropy of concatenated method names: 'WIfejQc2Qe', 'XYMeiu3qOR', 'f4OedgXwrK', 'c81dmMPxQO', 'GeTdzQsViT', 'BKSeUpCVuZ', 'Yp8eRnfuZe', 'F7XeFEOgIs', 'BTFeanh6Qj', 'Cc7eMuIbrd'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, hjO7eeJY9rRrmSXHKl.cs	High entropy of concatenated method names: 'nJbq5DbIOL', 'sg2qOjMP3V', 'z5bih3cObD', 'JFRiQ4srpm', 'nqDisSxwuR', 'DfiikhgZ0N', 'A43iliTBuv', 'kggiuWX5rW', 'VO8iD9YJX2', 'g5FiBcaP5q'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, I9BEaHDjBuiveoxbwC.cs	High entropy of concatenated method names: 'ymke726t7f', 'IEte4rH2Fn', 'GQBeTiv3oS', 'I2yepgHQv2', 'fCNe5htfbg', 'CL6eHswx2h', 'bFQeOU6T6M', 'iUXeo1vT0e', 'MuSe9OgLME', 'p3FeJ3VvSy'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, NjWaXNyhAj2He4H1hT.cs	High entropy of concatenated method names: 'FCddv3r9lP', 'LA6dVajR6p', 's3NdqPbQPg', 'uyWdeyVrl1', 'Df6dnneM3X', 'fZvqXkWRbk', 'aaSqrhmd4q', 'JKBq8y8i7B', 'eEUqIDc9Tv', 'a0RqLmZeew'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, aIAuRbGwMKwUNVfnHA.cs	High entropy of concatenated method names: 'Opl3BuIKir', 'kot3ZOa7HN', 's673GmSGmp', 'wTW3K5bmXt', 'N4L3EEe47M', 'yAB3hMkAWb', 'fXK3Q5mnDl', 'GGg3sQQpy1', 'wHB3kbSra0', 'u2I3lYjenv'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, h4EeY2rXX6BSZ9dsKQ.cs	High entropy of concatenated method names: 'nUibIwEQFK', 'X7ebmQThBh', 'KiF0UOTWB8', 'hgI0RaeGW9', 'Q9CbYtgk4P', 'kYIbZKyv0F', 'Aykb2qeyKq', 'f8lbGbwRXM', 'NRebK19hMV', 'wxYbCJG5Vc'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, zRqnLAgxQJh6HpcqYM.cs	High entropy of concatenated method names: 'g3fbWNRwN5', 'mnQb1JlvVL', 'ToString', 'ifXbjmXDKa', 'YNqbVpkWve', 'maCbiArvc5', 'y4mbqviniH', 'YOKbdDwHE7', 'CWybeFclL0', 'JnTbnbO8oT'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, uGoTVARRlQyUPosZ5fO.cs	High entropy of concatenated method names: 'ToString', 'ynFNadrxq0', 'cclNMRkqhp', 'PZxNv5JYVJ', 'fnTNjZG0Db', 'oPUNVAEnSP', 'PtONiZPQtl', 'RQcNqywM4b', 'bXUu9M2ntMDq6qOUjaQ', 'vGQ5OL2JiyKT2avqX52'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, dJhKVCLRYsuOuhZDdu.cs	High entropy of concatenated method names: 'aE80yB6JGo', 'Xmb0ERjZLH', 'Neq0hrKQeN', 'FBx0QFMS5j', 'ktA0GtQbWf', 'Hck0sjW133', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, mFN9Pti7ykBxr7C8Rv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'yK8FLHKINM', 'qePFm0kCT3', 'QC3FzIQD1g', 'PtXaUtwTJ6', 'w9qaRRMsk0', 'XI8aFX4J3b', 'EUMaaHZ24e', 'ycCrusHBw5tbAYZ624T'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, fD2Zjy2djFNkjNbMfG.cs	High entropy of concatenated method names: 'bZ9xoGuIcN', 'Stpx9bkvQV', 'dGPxyF9Zru', 'Y9BxElxOGy', 'TboxQIWWN0', 'wg1xsXPWDs', 'fSMxlqxcVQ', 'K1yxuiSj9D', 'Ch4xBBtRbY', 'U4exYLQU0n'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, Mw637kRUJhKmvoClVm7.cs	High entropy of concatenated method names: 'pfjw7nfjvW', 'CPGw4aaDYM', 'fu8wTF7yK8', 'TEwwpWdR27', 'jg9w59BC7L', 'M0SwHT6IQA', 'yBSwOFMPRM', 'wpOwosJwVw', 'mF5w9kKyF1', 'INswJlwW14'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, IsrBSgoD3Qo0N51DT1.cs	High entropy of concatenated method names: 'gcyVGtuouC', 'LcHVKy6Ptv', 'ILdVCAf8QJ', 'kcMVgXwFHX', 'bMSVXW2cdF', 'PuOVrQtvAs', 'FKHV8fUJRi', 'VZnVIbgx3Y', 'IqUVLnywme', 'sRbVmiasQ3'
Source: 0.2.Order 24007219.exe.8f20000.11.raw.unpack, cqritsmcLPqruphrI9.cs	High entropy of concatenated method names: 'vjcwRWJh5V', 'kwYwaqOPCh', 'SVwwM5edhX', 'VyuwjsKFSK', 'vj8wVHMxhS', 'F1RwqkDilY', 'VZHwdHrQY6', 'b7a08RMi3D', 'KXJ0IowrXB', 'CSg0Ly1KnF'
Source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, R87QTajabri3WprdxA.cs	High entropy of concatenated method names: 'SoFXXYTXBr', 'VXePqW7LxoGttIrQMM', 'VJKqh4rSy8UE5CPs2d', 'w7T6rNymrPsVe05ZjX', 'Qa5usbZfG', 'UsaN6r2JI', 'Dispose', 'xdE70OV1R', 'WKG8Nh2TLfQX7DMBJq', 'FCyDZoO16YhsTUYx7V'
Source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, I1Ds3abkUA5mh3kywv.cs	High entropy of concatenated method names: 'I6pnpGMEc', 'pUPSoKeTB', 'w3OonGh86', 'S3aaCOvyF', 'MagvcleIh', 'hvmph4XfL', 'eXtqEM8mO', 'RC38AH4Bb', 'hyVW2X9uL', 'AbHynsT40'
Source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	High entropy of concatenated method names: 'sRJJ4PC1lt6MgSX9oLN', 'qCuPUJCYMdGJYrcKdqj', 'T9OMNMJAsS', 'KH71sVC96gudd8OjhqS', 'qSoaq8CnboJYXbPCm1H', 'XtbiVDCeUWVlZdG2V08', 'D2TFRiCIaLSytg31rTE', 'MtxGm4CM57HGXUKQMIN', 'RgtTUJcyZL', 'eFmMT9Tlnp'
Source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, QEHxtuXFnnkJABhbAo.cs	High entropy of concatenated method names: 'Geosg7Hdn', 'wwIBOnTmd', 'siWV4YECO', 'k32FNitut', 'cUAG5mh3k', 'JwvHwu9Dw', 'cr1hyajqeLqaQ4F9dK', 'Pgut89mcfAIn6Hs5oN', 'Dispose', 'MoveNext'
Source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, R87QTajabri3WprdxA.cs	High entropy of concatenated method names: 'SoFXXYTXBr', 'VXePqW7LxoGttIrQMM', 'VJKqh4rSy8UE5CPs2d', 'w7T6rNymrPsVe05ZjX', 'Qa5usbZfG', 'UsaN6r2JI', 'Dispose', 'xdE70OV1R', 'WKG8Nh2TLfQX7DMBJq', 'FCyDZoO16YhsTUYx7V'
Source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, I1Ds3abkUA5mh3kywv.cs	High entropy of concatenated method names: 'I6pnpGMEc', 'pUPSoKeTB', 'w3OonGh86', 'S3aaCOvyF', 'MagvcleIh', 'hvmph4XfL', 'eXtqEM8mO', 'RC38AH4Bb', 'hyVW2X9uL', 'AbHynsT40'
Source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs	High entropy of concatenated method names: 'sRJJ4PC1lt6MgSX9oLN', 'qCuPUJCYMdGJYrcKdqj', 'T9OMNMJAsS', 'KH71sVC96gudd8OjhqS', 'qSoaq8CnboJYXbPCm1H', 'XtbiVDCeUWVlZdG2V08', 'D2TFRiCIaLSytg31rTE', 'MtxGm4CM57HGXUKQMIN', 'RgtTUJcyZL', 'eFmMT9Tlnp'
Source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, QEHxtuXFnnkJABhbAo.cs	High entropy of concatenated method names: 'Geosg7Hdn', 'wwIBOnTmd', 'siWV4YECO', 'k32FNitut', 'cUAG5mh3k', 'JwvHwu9Dw', 'cr1hyajqeLqaQ4F9dK', 'Pgut89mcfAIn6Hs5oN', 'Dispose', 'MoveNext'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, SnhHkURaK2jqFElWlcH.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YIDNGpgSYc', 'acgNKTiU4l', 'nDANC649CX', 'I55NghHX9g', 'Rq0NXhSJ1A', 'Sk7Nrfmh69', 'Dh2N8g99Kv'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, byHySoMF6JLHiDjfPZ.cs	High entropy of concatenated method names: 'KnQResrBSg', 'N3QRno0N51', 'PXTRWMshgT', 'bgNR1qijO7', 'pXHR3KlBjW', 'cXNRShAj2H', 'bcNe1jaLp0W64hpfLE', 'cMOF26bRsGYalsTRTu', 'zcUZ6wWYdEshqnQul6', 'CZ8RR8uJ1J'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, xUCw0FQsWcnfHnSTnS.cs	High entropy of concatenated method names: 'vPrdfgoywY', 'Ex5d7VGPo3', 'ha5dThsfyu', 'oe8dpeAtIS', 'lcsdHYy9ws', 'BNudO0ElCn', 'vpjd9O5ZPJ', 'TGxdJhQDjC', 'nbdRJbU6OXpuWqhO0PD', 'JkKT5QUh8yijcLt7bfi'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, s24kBFIxawmUU9l1xn.cs	High entropy of concatenated method names: 'afq0jRv4lc', 'ICs0VZZYCS', 'tRu0iXEUKk', 'H7Q0q45riy', 'kl80dFlfIs', 'cLQ0el9Y1B', 'sIC0n63EYX', 'Has0cgRSYa', 'er50WIxtqZ', 'vwE01XcDgh'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, yU5KEJF70xMfmcjP8q.cs	High entropy of concatenated method names: 'EjKTAcgBb', 'LCVp4Egi3', 'NRuHgnnV3', 'RgSO8hsi7', 'Uib9vscQ4', 'YJDJMSfIx', 'PeMd6CM9xHKFNo6SWR', 'tixQJO55GLiOuDMwgc', 'ylm0GGWDy', 'ruYNxB95o'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, mJJyWXCb6eBlTHe34G.cs	High entropy of concatenated method names: 'ToString', 't6eSYPLIgL', 'CqASEkboXT', 'jGUShP6YlQ', 'RFnSQ2gYBH', 'TaDSsTEFG3', 'jnaSkroptZ', 'XIVSlooKF5', 'npOSu0gyGt', 'LfqSD8KqNt'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, aiJW3nnXjqjqRH1NGG.cs	High entropy of concatenated method names: 'UM6avkDbGX', 'aP6ajULk0G', 'cctaVckCda', 'xM6aiJtYpC', 'pa4aqxabv0', 'BbhadB06hA', 'bpAae5Vj44', 'q5ianuTNr7', 'mFAacQ0bYn', 'KpkaWE0RJs'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, vqAdFkVsmIvdbGhKcN.cs	High entropy of concatenated method names: 'Dispose', 'etpRLGShlP', 'tO4FEMBbZZ', 'QCrooccYu0', 'qw2Rm4kBFx', 'dwmRzUU9l1', 'ProcessDialogKey', 'onMFUJhKVC', 'aYsFRuOuhZ', 'MduFFFqrit'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, Cm8FLZ9XTMshgTFgNq.cs	High entropy of concatenated method names: 'WeZipWikWf', 'uftiHS3taC', 'dd5ioK04Os', 'VyHi9V8qi4', 'SYDi3D6Tii', 'TXPiSys0F1', 'mR7ibIDrJQ', 'c0Ii0xQJUw', 'g9riwOPSN4', 'v5JiNcdpVn'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, iVObXtlnbFlrH9KKul.cs	High entropy of concatenated method names: 'WIfejQc2Qe', 'XYMeiu3qOR', 'f4OedgXwrK', 'c81dmMPxQO', 'GeTdzQsViT', 'BKSeUpCVuZ', 'Yp8eRnfuZe', 'F7XeFEOgIs', 'BTFeanh6Qj', 'Cc7eMuIbrd'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, hjO7eeJY9rRrmSXHKl.cs	High entropy of concatenated method names: 'nJbq5DbIOL', 'sg2qOjMP3V', 'z5bih3cObD', 'JFRiQ4srpm', 'nqDisSxwuR', 'DfiikhgZ0N', 'A43iliTBuv', 'kggiuWX5rW', 'VO8iD9YJX2', 'g5FiBcaP5q'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, I9BEaHDjBuiveoxbwC.cs	High entropy of concatenated method names: 'ymke726t7f', 'IEte4rH2Fn', 'GQBeTiv3oS', 'I2yepgHQv2', 'fCNe5htfbg', 'CL6eHswx2h', 'bFQeOU6T6M', 'iUXeo1vT0e', 'MuSe9OgLME', 'p3FeJ3VvSy'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, NjWaXNyhAj2He4H1hT.cs	High entropy of concatenated method names: 'FCddv3r9lP', 'LA6dVajR6p', 's3NdqPbQPg', 'uyWdeyVrl1', 'Df6dnneM3X', 'fZvqXkWRbk', 'aaSqrhmd4q', 'JKBq8y8i7B', 'eEUqIDc9Tv', 'a0RqLmZeew'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, aIAuRbGwMKwUNVfnHA.cs	High entropy of concatenated method names: 'Opl3BuIKir', 'kot3ZOa7HN', 's673GmSGmp', 'wTW3K5bmXt', 'N4L3EEe47M', 'yAB3hMkAWb', 'fXK3Q5mnDl', 'GGg3sQQpy1', 'wHB3kbSra0', 'u2I3lYjenv'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, h4EeY2rXX6BSZ9dsKQ.cs	High entropy of concatenated method names: 'nUibIwEQFK', 'X7ebmQThBh', 'KiF0UOTWB8', 'hgI0RaeGW9', 'Q9CbYtgk4P', 'kYIbZKyv0F', 'Aykb2qeyKq', 'f8lbGbwRXM', 'NRebK19hMV', 'wxYbCJG5Vc'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, zRqnLAgxQJh6HpcqYM.cs	High entropy of concatenated method names: 'g3fbWNRwN5', 'mnQb1JlvVL', 'ToString', 'ifXbjmXDKa', 'YNqbVpkWve', 'maCbiArvc5', 'y4mbqviniH', 'YOKbdDwHE7', 'CWybeFclL0', 'JnTbnbO8oT'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, uGoTVARRlQyUPosZ5fO.cs	High entropy of concatenated method names: 'ToString', 'ynFNadrxq0', 'cclNMRkqhp', 'PZxNv5JYVJ', 'fnTNjZG0Db', 'oPUNVAEnSP', 'PtONiZPQtl', 'RQcNqywM4b', 'bXUu9M2ntMDq6qOUjaQ', 'vGQ5OL2JiyKT2avqX52'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, dJhKVCLRYsuOuhZDdu.cs	High entropy of concatenated method names: 'aE80yB6JGo', 'Xmb0ERjZLH', 'Neq0hrKQeN', 'FBx0QFMS5j', 'ktA0GtQbWf', 'Hck0sjW133', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, mFN9Pti7ykBxr7C8Rv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'yK8FLHKINM', 'qePFm0kCT3', 'QC3FzIQD1g', 'PtXaUtwTJ6', 'w9qaRRMsk0', 'XI8aFX4J3b', 'EUMaaHZ24e', 'ycCrusHBw5tbAYZ624T'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, fD2Zjy2djFNkjNbMfG.cs	High entropy of concatenated method names: 'bZ9xoGuIcN', 'Stpx9bkvQV', 'dGPxyF9Zru', 'Y9BxElxOGy', 'TboxQIWWN0', 'wg1xsXPWDs', 'fSMxlqxcVQ', 'K1yxuiSj9D', 'Ch4xBBtRbY', 'U4exYLQU0n'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, Mw637kRUJhKmvoClVm7.cs	High entropy of concatenated method names: 'pfjw7nfjvW', 'CPGw4aaDYM', 'fu8wTF7yK8', 'TEwwpWdR27', 'jg9w59BC7L', 'M0SwHT6IQA', 'yBSwOFMPRM', 'wpOwosJwVw', 'mF5w9kKyF1', 'INswJlwW14'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, IsrBSgoD3Qo0N51DT1.cs	High entropy of concatenated method names: 'gcyVGtuouC', 'LcHVKy6Ptv', 'ILdVCAf8QJ', 'kcMVgXwFHX', 'bMSVXW2cdF', 'PuOVrQtvAs', 'FKHV8fUJRi', 'VZnVIbgx3Y', 'IqUVLnywme', 'sRbVmiasQ3'
Source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, cqritsmcLPqruphrI9.cs	High entropy of concatenated method names: 'vjcwRWJh5V', 'kwYwaqOPCh', 'SVwwM5edhX', 'VyuwjsKFSK', 'vj8wVHMxhS', 'F1RwqkDilY', 'VZHwdHrQY6', 'b7a08RMi3D', 'KXJ0IowrXB', 'CSg0Ly1KnF'

Persistence and Installation Behavior

Yara detected Neshta

Source: Yara match	File source: 3.2.Order 24007219.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Order 24007219.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1977733940.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2389620654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order 24007219.exe PID: 4028, type: MEMORYSTR

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\Order 24007219.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\Order 24007219.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\Order 24007219.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Boot Survival

Yara detected Neshta

Source: Yara match	File source: 3.2.Order 24007219.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Order 24007219.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1977733940.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2389620654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order 24007219.exe PID: 4028, type: MEMORYSTR

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\Order 24007219.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior

Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Order 24007219.exe PID: 5948, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: 920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: 25F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: 2440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: 4B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: 5B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: 5C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: 6C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: 9830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: A830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: ACC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Memory allocated: BCC0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Order 24007219.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order 24007219.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Order 24007219.exe TID: 1896

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00405080 FindFirstFileA,FindNextFileA,FindClose,	3_2_00405080
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00405634 FindFirstFileA,FindNextFileA,FindClose,	3_2_00405634
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_00404F6C FindFirstFileA,FindClose,	3_2_00404F6C
Source: C:\Users\user\Desktop\Order 24007219.exe	Code function: 3_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,	3_2_004056A7

Source: C:\Users\user\Desktop\Order 24007219.exe

Code function: 3_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,

3_2_00406D40

Source: C:\Users\user\Desktop\Order 24007219.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior

Source: Order 24007219.exe, 00000003.00000002.2389955685.00000000014C4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: _VMware_

Source: C:\Users\user\Desktop\Order 24007219.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Order 24007219.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Source: C:\Users\user\Desktop\Order 24007219.exe

File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

Jump to dropped file

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Order 24007219.exe

Process created: C:\Users\user\Desktop\Order 24007219.exe "C:\Users\user\Desktop\Order 24007219.exe"

Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\Order 24007219.exe

Code function: GetLocaleInfoA,

3_2_00403CB4

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Order 24007219.exe	Queries volume information: C:\Users\user\Desktop\Order 24007219.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Order 24007219.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Order 24007219.exe

Code function: 3_2_004057D8 GetLocalTime,

3_2_004057D8

Source: C:\Users\user\Desktop\Order 24007219.exe

Code function: 3_2_00403D7D GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

3_2_00403D7D

Source: C:\Users\user\Desktop\Order 24007219.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order 24007219.exe PID: 5948, type: MEMORYSTR

Yara detected Neshta

Source: Yara match	File source: 3.2.Order 24007219.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Order 24007219.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1977733940.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2389620654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order 24007219.exe PID: 4028, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Order 24007219.exe.264b690.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.7370000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1982976345.0000000007370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1977733940.00000000025FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order 24007219.exe PID: 5948, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Order 24007219.exe.4283bc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.41fd5a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1978414166.0000000003FCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order 24007219.exe PID: 5948, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Order 24007219.exe.264b690.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.7370000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.7370000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order 24007219.exe.264b690.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1982976345.0000000007370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1977733940.00000000025FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Windows Analysis Report
Order 24007219.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

ID:	1416957
Product:	CloudBasic
Start time:	10:48:05
Start date:	28.03.2024
Sample:	Order 24007219.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e77f0d830d8353f748f97ea6c692b7f7
SHA1:	7202eec3edccf41aa004e542c1956533b9ac8c01
SHA256:	2c39793aee8f8966937d52468306f422151978e4b43d665a09f78e5c91fe5401
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report Order 24007219.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
Order 24007219.exe

Malware Threat Intel
Provided by