Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Order 24007219.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

C:\Program Files (x86)\AutoIt3\Au3Check.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\AutoIt3\Au3Info.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\AutoIt3\Uninstall.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\chrome.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Windows\svchost.com

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order 24007219.exe.log

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\3582-490\Order 24007219.exe

data

dropped

C:\Users\user\AppData\Local\Temp\tmp5023.tmp

Non-ISO extended-ASCII text, with CR line terminators

modified

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

There are 147 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Order 24007219.exe

"C:\Users\user\Desktop\Order 24007219.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5948
Target ID:	0
Parent PID:	1028
Name:	Order 24007219.exe
Path:	C:\Users\user\Desktop\Order 24007219.exe
Commandline:	"C:\Users\user\Desktop\Order 24007219.exe"
Size:	793088
MD5:	E77F0D830D8353F748F97EA6C692B7F7
Time:	10:48:48
Date:	28/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x100000
Modulesize:	811008
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Neshta	Spreading, Persistence and Installation Behavior, Boot Survival, Stealing of Sensitive Information
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Classes Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Order 24007219.exe

"C:\Users\user\Desktop\Order 24007219.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4028
Target ID:	3
Parent PID:	5948
Name:	Order 24007219.exe
Path:	C:\Users\user\Desktop\Order 24007219.exe
Commandline:	"C:\Users\user\Desktop\Order 24007219.exe"
Size:	793088
MD5:	E77F0D830D8353F748F97EA6C692B7F7
Time:	10:48:49
Date:	28/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe30000
Modulesize:	811008
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Neshta	Spreading, Persistence and Installation Behavior, Boot Survival, Stealing of Sensitive Information
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Initial sample is a PE file and has a suspicious name	System Summary
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Classes Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith

unknown

https://crashpad.chromium.org/

unknown

http://aka.ms/sdxdebug

unknown

https://account.dyn.com/

unknown

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/filter

unknown

https://crashpad.chromium.org/bug/new

unknown

https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xmlhttps://javadl-esd-secure.oracle.com/upda

unknown

https://unitedstates1.ss.wd.microsoft.us/

unknown

http://stackoverflow.com/a/15123777)

unknown

http://https://ftp://.htmlGot

unknown

http://www.computerhope.com/forum/index.php?topic=76293.0

unknown

http://nsis.sf.net/NSIS_ErrorError

unknown

https://www.autoitscript.com/autoit3/

unknown

https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new

unknown

https://javadl-esd-secure.oracle.com/update/%s/map-%s.xml

unknown

http://stackoverflow.com/a/1465386/4224163

unknown

http://stackoverflow.com/questions/1026069/capitalize-the-first-letter-of-string-in-javascript

unknown

https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xml

unknown

http://www.tutorialspoint.com/javascript/array_map.htm

unknown

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/Reduce

unknown

https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith

unknown

http://SoftwareMicrosoft16.0CommonDebugHKEY_LOCAL_MACHINEHKEY_CURRENT_USER

unknown

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/Trim

unknown

http://stackoverflow.com/questions/1068834/object-comparison-in-javascript

unknown

http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte

unknown

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/indexOf

unknown

https://unitedstates2.ss.wd.microsoft.us/

unknown

https://unitedstates4.ss.wd.microsoft.us/

unknown

http://es5.github.io/#x15.4.4.21

unknown

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith

unknown

https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff

unknown

There are 21 hidden URLs, click here to show them.

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command

NULL

Details

TargetID:	3
Path:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
Value name:	NULL
Value data:	C:\Windows\svchost.com "%1" %*

Signature Hits	Behavior Group	Mitre Attack
Creates an undocumented autostart registry key	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: Classes Autorun Keys Modification	System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

25FA000

trusted library allocation

page read and write

28D5000

trusted library allocation

page read and write

7370000

trusted library section

page read and write

400000

remote allocation

page execute and read and write

3FCE000

trusted library allocation

page read and write

CE7000

heap

page read and write

6A0000

heap

page read and write

7C2000

heap

page read and write

3010000

heap

page read and write

14F8000

heap

page read and write

259B000

trusted library allocation

page read and write

73E000

stack

page read and write

301B000

heap

page read and write

6EE0000

trusted library allocation

page read and write

8BB000

trusted library allocation

page execute and read and write

14A8000

heap

page read and write

1513000

heap

page read and write

37EE000

stack

page read and write

7080000

heap

page read and write

6ED0000

trusted library allocation

page execute and read and write

169E000

stack

page read and write

883000

trusted library allocation

page execute and read and write

38EF000

stack

page read and write

14BE000

heap

page read and write

7A10000

heap

page read and write

8FB5000

trusted library allocation

page read and write

25B1000

trusted library allocation

page read and write

91E000

stack

page read and write

FF0000

heap

page read and write

25F1000

trusted library allocation

page read and write

392E000

stack

page read and write

940000

heap

page read and write

3B6F000

stack

page read and write

6EB0000

trusted library allocation

page read and write

3016000

heap

page read and write

8CD0000

trusted library allocation

page execute and read and write

36AD000

stack

page read and write

25BD000

trusted library allocation

page read and write

3E47000

trusted library allocation

page read and write

7260000

heap

page read and write

8A6000

trusted library allocation

page execute and read and write

2590000

trusted library allocation

page read and write

2687000

trusted library allocation

page read and write

3A6E000

stack

page read and write

736D000

stack

page read and write

14B5000

heap

page read and write

73A0000

trusted library allocation

page read and write

73B5000

heap

page read and write

1503000

heap

page read and write

14A0000

heap

page read and write

2580000

heap

page read and write

14FE000

heap

page read and write

139E000

stack

page read and write

8B10000

heap

page read and write

70B0000

trusted library allocation

page read and write

88D000

trusted library allocation

page execute and read and write

CEFE000

stack

page read and write

B4F000

stack

page read and write

8B2000

trusted library allocation

page read and write

8FB0000

trusted library allocation

page read and write

3DF9000

trusted library allocation

page read and write

5580000

heap

page read and write

418000

remote allocation

page execute and read and write

3E95000

trusted library allocation

page read and write

7090000

trusted library allocation

page execute and read and write

311F000

stack

page read and write

7060000

trusted library section

page readonly

12F0000

stack

page read and write

3DF5000

trusted library allocation

page read and write

7070000

heap

page read and write

D040000

heap

page read and write

8D0000

trusted library allocation

page read and write

8B7000

trusted library allocation

page execute and read and write

251B000

stack

page read and write

7A7000

heap

page read and write

CDBF000

stack

page read and write

1340000

heap

page read and write

9212000

trusted library allocation

page read and write

356E000

stack

page read and write

8F20000

trusted library section

page read and write

102000

unkown

page execute and read and write

2430000

heap

page read and write

982F000

stack

page read and write

8B1E000

heap

page read and write

366E000

stack

page read and write

46EC000

stack

page read and write

2583000

heap

page read and write

7000000

trusted library allocation

page execute and read and write

D03E000

stack

page read and write

7250000

trusted library section

page read and write

35F1000

trusted library allocation

page read and write

CE0000

heap

page read and write

78A000

heap

page read and write

6B5000

heap

page read and write

2FE0000

heap

page read and write

8AA000

trusted library allocation

page execute and read and write

7440000

trusted library allocation

page read and write

890000

trusted library allocation

page read and write

A4F000

stack

page read and write

5570000

heap

page read and write

6F30000

trusted library allocation

page read and write

3EE3000

trusted library allocation

page read and write

F89000

stack

page read and write

7390000

trusted library allocation

page execute and read and write

89D000

trusted library allocation

page execute and read and write

904E000

stack

page read and write

CDFE000

stack

page read and write

25E0000

heap

page execute and read and write

2FC0000

heap

page read and write

2400000

trusted library allocation

page execute and read and write

972E000

stack

page read and write

5C0000

heap

page read and write

7A20000

heap

page read and write

96EE000

stack

page read and write

CF3E000

stack

page read and write

255E000

stack

page read and write

102000

unkown

page readonly

2448000

trusted library allocation

page read and write

14C4000

heap

page read and write

13A0000

heap

page read and write

70D0000

heap

page execute and read and write

13A5000

heap

page read and write

6B0000

heap

page read and write

8A0000

trusted library allocation

page read and write

780000

heap

page read and write

1536000

heap

page read and write

100000

unkown

page execute and read and write

73B0000

heap

page read and write

70A0000

trusted library allocation

page read and write

25D0000

trusted library allocation

page read and write

23FF000

stack

page read and write

7430000

trusted library allocation

page read and write

1B3000

unkown

page execute and read and write

2FC4000

heap

page read and write

2410000

trusted library allocation

page read and write

4B2E000

stack

page read and write

2570000

trusted library allocation

page read and write

133E000

stack

page read and write

25B6000

trusted library allocation

page read and write

151B000

heap

page read and write

770000

trusted library allocation

page read and write

7B5000

heap

page read and write

6FF0000

trusted library allocation

page read and write

880000

trusted library allocation

page read and write

25D5000

trusted library allocation

page read and write

920000

heap

page read and write

7A44000

heap

page read and write

459000

stack

page read and write

100000

unkown

page readonly

2420000

trusted library allocation

page read and write

8FFE000

stack

page read and write

37AF000

stack

page read and write

705C000

stack

page read and write

5660000

trusted library allocation

page read and write

3A2F000

stack

page read and write

8A2000

trusted library allocation

page read and write

557000

stack

page read and write

6F20000

heap

page read and write

884000

trusted library allocation

page read and write

1C1000

unkown

page execute and read and write

2560000

trusted library allocation

page read and write

7450000

trusted library allocation

page execute and read and write

25AE000

trusted library allocation

page read and write

6FE000

stack

page read and write

266F000

trusted library allocation

page read and write

78E000

heap

page read and write

There are 156 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Order 24007219.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOrder 24007219.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
Order 24007219.exe