Windows Analysis Report
QSPC03PC230308097.exe

Overview

General Information

Sample name: QSPC03PC230308097.exe
Analysis ID: 1417462
MD5: a2242c1c19df8b628a64165e062b03a3
SHA1: 11f998b2c123df7b43814248f40aefb0de75e9d8
SHA256: 0737b4a17fda7c3b5ffe49d1f33da4b1789d0f3b7c77a54113d6136f1672782a
Tags: exeNeshtaQuotation
Infos:

Detection

AgentTesla, Neshta, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Neshta
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Classes Autorun Keys Modification
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
neshta Neshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something." No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: QSPC03PC230308097.exe Avira: detected
Found malware configuration
Source: QSPC03PC230308097.exe.6900.0.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.toliddaru.ir", "Username": "phtd@toliddaru.ir", "Password": "Aa@1401"}
Multi AV Scanner detection for submitted file
Source: QSPC03PC230308097.exe Virustotal: Detection: 47% Perma Link
Source: QSPC03PC230308097.exe ReversingLabs: Detection: 57%
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: QSPC03PC230308097.exe Joe Sandbox ML: detected

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Unpacked PE file: 0.2.QSPC03PC230308097.exe.de0000.0.unpack
Uses 32bit PE files
Source: QSPC03PC230308097.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: QSPC03PC230308097.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb@@4 source: jp2launcher.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\iecontentservice.pdbb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: IEContentService.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.2.dr
Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.2.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\ie_to_edge_stub.exe.pdbOGP source: ie_to_edge_stub.exe.2.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdb source: msedge_proxy.exe.2.dr
Source: Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdateOnDemand.exe.2.dr
Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.2.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\graphics_filterloader\x-none\FLTLDR.pdb source: FLTLDR.EXE.2.dr
Source: Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdb source: MicrosoftEdgeComRegisterShellARM64.exe.2.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdbOGP source: msedge.exe.2.dr, msedge.exe0.2.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdbOGP source: msedge_proxy.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb source: OLicenseHeartbeat.exe.2.dr
Source: Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\msohtmed.pdb source: MSOHTMED.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdbbroker.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OfficeScrSanBroker.exe.2.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdb source: msedge.exe.2.dr, msedge.exe0.2.dr
Source: Binary string: D:\dbs\el\ja2\Target\x64\ship\postc2rcross\x-none\msoxmled.pdb source: MSOXMLED.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdb source: OfficeScrSanBroker.exe.2.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.2.dr
Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.2.dr
Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.2.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.2.dr
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb source: OcPubMgr.exe.2.dr
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.2.dr
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb source: jp2launcher.exe.2.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoadfsb.pdbdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoadfsb.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\onenote.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: ONENOTE.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb source: SETLANG.EXE.2.dr
Source: Binary string: D:\dbs\el\ja2\Target\x64\ship\postc2rcross\x-none\msoxmled.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSOXMLED.EXE.2.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\ie_to_edge_stub.exe.pdb source: ie_to_edge_stub.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SETLANG.EXE.2.dr
Source: Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdbh source: MicrosoftEdgeComRegisterShellARM64.exe.2.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\onenote.pdb source: ONENOTE.EXE.2.dr
Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb+ source: ai.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OLicenseHeartbeat.exe.2.dr
Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.2.dr
Source: Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.2.dr
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\iecontentservice.pdb source: IEContentService.exe.2.dr
Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb source: ai.exe.2.dr
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OcPubMgr.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SCANPST.EXE.2.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\graphics_filterloader\x-none\FLTLDR.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: FLTLDR.EXE.2.dr
Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe_x64.pdb source: Aut2exe_x64.exe.2.dr
Source: Binary string: in32.pdb source: officeappguardwin32.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.2.dr
Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\msohtmed.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSOHTMED.EXE.2.dr
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.2.dr
Source: Binary string: broker.pdb source: OfficeScrSanBroker.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb source: SCANPST.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoadfsb.pdb source: msoadfsb.exe.2.dr

Spreading
barindex
Yara detected Neshta
Source: Yara match File source: 2.2.QSPC03PC230308097.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.QSPC03PC230308097.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1651215137.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2053230169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1652172604.0000000004B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QSPC03PC230308097.exe PID: 6388, type: MEMORYSTR
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00405080 FindFirstFileA,FindNextFileA,FindClose, 2_2_00405080
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00405634 FindFirstFileA,FindNextFileA,FindClose, 2_2_00405634
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00404F6C FindFirstFileA,FindClose, 2_2_00404F6C
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_004056A7 FindFirstFileA,FindNextFileA,FindClose, 2_2_004056A7
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA, 2_2_00406D40
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\ Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\ Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\ Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\ Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\ Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_089462F4
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_0894F2E8
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_0894F2E8
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 4x nop then xor edx, edx 0_2_0894F220
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_0894624D
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_0894EFC8
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_0894EFC8
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 4x nop then jmp 0A0CC80Ah 0_2_0A0CBE97

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, type: UNPACKEDPE
Source: integrator.exe.2.dr String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: OLicenseHeartbeat.exe.2.dr String found in binary or memory: http://CodeTypeIsExpectedOffice.System.ResultGlobal
Source: OfficeScrSanBroker.exe.2.dr String found in binary or memory: http://SoftwareMicrosoft16.0CommonDebugHKEY_LOCAL_MACHINEHKEY_CURRENT_USER
Source: msoadfsb.exe.2.dr String found in binary or memory: http://aka.ms/sdxdebug
Source: java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr, GoogleUpdateOnDemand.exe.2.dr, ssvagent.exe.2.dr, jp2launcher.exe.2.dr, GoogleCrashHandler64.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr, GoogleUpdateOnDemand.exe.2.dr, ssvagent.exe.2.dr, jp2launcher.exe.2.dr, GoogleCrashHandler64.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr, GoogleUpdateOnDemand.exe.2.dr, ssvagent.exe.2.dr, jp2launcher.exe.2.dr, GoogleCrashHandler64.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr, GoogleUpdateOnDemand.exe.2.dr, ssvagent.exe.2.dr, jp2launcher.exe.2.dr, GoogleCrashHandler64.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Aut2exe_x64.exe.2.dr, Au3Check.exe.2.dr String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Aut2exe_x64.exe.2.dr, Au3Check.exe.2.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Aut2exe_x64.exe.2.dr, Au3Check.exe.2.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Aut2exe_x64.exe.2.dr, Au3Check.exe.2.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Aut2exe_x64.exe.2.dr, Au3Check.exe.2.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr, GoogleUpdateOnDemand.exe.2.dr, ssvagent.exe.2.dr, jp2launcher.exe.2.dr, GoogleCrashHandler64.exe.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr, GoogleUpdateOnDemand.exe.2.dr, ssvagent.exe.2.dr, jp2launcher.exe.2.dr, GoogleCrashHandler64.exe.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr, GoogleUpdateOnDemand.exe.2.dr, ssvagent.exe.2.dr, jp2launcher.exe.2.dr, GoogleCrashHandler64.exe.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: GoogleCrashHandler64.exe.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: java.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr, GoogleUpdateOnDemand.exe.2.dr, ssvagent.exe.2.dr, jp2launcher.exe.2.dr, GoogleCrashHandler64.exe.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AdobeARMHelper.exe.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: jucheck.exe.2.dr, jusched.exe.2.dr String found in binary or memory: http://es5.github.io/#x15.4.4.21
Source: MSOHTMED.EXE.2.dr String found in binary or memory: http://https://ftp://.htmlGot
Source: jucheck.exe.2.dr String found in binary or memory: http://java.sun.com
Source: jucheck.exe.2.dr String found in binary or memory: http://java.sun.comnot
Source: QSPC03PC230308097.exe, 00000002.00000002.2053358913.0000000000D30000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.2.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr, GoogleUpdateOnDemand.exe.2.dr, ssvagent.exe.2.dr, jp2launcher.exe.2.dr, GoogleCrashHandler64.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0
Source: java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr, GoogleUpdateOnDemand.exe.2.dr, ssvagent.exe.2.dr, jp2launcher.exe.2.dr, GoogleCrashHandler64.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr, GoogleUpdateOnDemand.exe.2.dr, ssvagent.exe.2.dr, jp2launcher.exe.2.dr, GoogleCrashHandler64.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr, GoogleUpdateOnDemand.exe.2.dr, ssvagent.exe.2.dr, jp2launcher.exe.2.dr, GoogleCrashHandler64.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: Aut2exe_x64.exe.2.dr, Au3Check.exe.2.dr String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Aut2exe_x64.exe.2.dr, Au3Check.exe.2.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Aut2exe_x64.exe.2.dr, Au3Check.exe.2.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Aut2exe_x64.exe.2.dr, Au3Check.exe.2.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: officeappguardwin32.exe.2.dr String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service
Source: officeappguardwin32.exe.2.dr String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects
Source: officeappguardwin32.exe.2.dr String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfR
Source: Aut2exe_x64.exe.2.dr, Au3Check.exe.2.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Aut2exe_x64.exe.2.dr, Au3Check.exe.2.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: jucheck.exe.2.dr, jusched.exe.2.dr String found in binary or memory: http://stackoverflow.com/a/1465386/4224163
Source: jucheck.exe.2.dr, jusched.exe.2.dr String found in binary or memory: http://stackoverflow.com/a/15123777)
Source: jucheck.exe.2.dr, jusched.exe.2.dr String found in binary or memory: http://stackoverflow.com/questions/1026069/capitalize-the-first-letter-of-string-in-javascript
Source: jucheck.exe.2.dr, jusched.exe.2.dr String found in binary or memory: http://stackoverflow.com/questions/1068834/object-comparison-in-javascript
Source: officeappguardwin32.exe.2.dr String found in binary or memory: http://tempuri.org/
Source: QSPC03PC230308097.exe, 00000000.00000002.1651215137.000000000317A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: officeappguardwin32.exe.2.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUser
Source: officeappguardwin32.exe.2.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUserResponse
Source: officeappguardwin32.exe.2.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUser
Source: officeappguardwin32.exe.2.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUserResponse
Source: officeappguardwin32.exe.2.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfig
Source: officeappguardwin32.exe.2.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfigResponse
Source: officeappguardwin32.exe.2.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettings
Source: officeappguardwin32.exe.2.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettingsResponse
Source: officeappguardwin32.exe.2.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettings
Source: officeappguardwin32.exe.2.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingsResponse
Source: officeappguardwin32.exe.2.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/R
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Aut2exe.exe.2.dr String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: Aut2exe_x64.exe.2.dr String found in binary or memory: http://www.autoitscript.com/autoit3/8
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: jucheck.exe.2.dr, jusched.exe.2.dr String found in binary or memory: http://www.computerhope.com/forum/index.php?topic=76293.0
Source: java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr, GoogleUpdateOnDemand.exe.2.dr, ssvagent.exe.2.dr, jp2launcher.exe.2.dr, GoogleCrashHandler64.exe.2.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: jucheck.exe.2.dr, jusched.exe.2.dr String found in binary or memory: http://www.tutorialspoint.com/javascript/array_map.htm
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: QSPC03PC230308097.exe, 00000000.00000002.1655577551.0000000009B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: OcPubMgr.exe.2.dr String found in binary or memory: http://xml.org/sax/properties/lexical-handlerhttp://xml.org/sax/features/namespace-prefixeshttp://xm
Source: QSPC03PC230308097.exe, 00000000.00000002.1652172604.0000000004B4E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: msedge.exe.2.dr, msedge.exe0.2.dr String found in binary or memory: https://crashpad.chromium.org/
Source: msedge.exe.2.dr, msedge.exe0.2.dr String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: msedge.exe.2.dr, msedge.exe0.2.dr String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: jucheck.exe.2.dr, jusched.exe.2.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/Reduce
Source: jucheck.exe.2.dr, jusched.exe.2.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/filter
Source: jucheck.exe.2.dr, jusched.exe.2.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/indexOf
Source: jucheck.exe.2.dr, jusched.exe.2.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/Trim
Source: jucheck.exe.2.dr, jusched.exe.2.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith
Source: jucheck.exe.2.dr, jusched.exe.2.dr String found in binary or memory: https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith
Source: msedge_proxy.exe.2.dr, msedge.exe.2.dr, msedge_pwa_launcher.exe.2.dr, msedge.exe0.2.dr String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: msedge_proxy.exe.2.dr, msedge.exe.2.dr, msedge_pwa_launcher.exe.2.dr, msedge.exe0.2.dr String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: jucheck.exe.2.dr, jusched.exe.2.dr String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-%s.xml
Source: jucheck.exe.2.dr, jusched.exe.2.dr String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xml
Source: jucheck.exe.2.dr, jusched.exe.2.dr String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xmlhttps://javadl-esd-secure.oracle.com/upda
Source: OLicenseHeartbeat.exe.2.dr String found in binary or memory: https://login.windows.net/commonhttps://login.windows.netDBSFetcher::CreateRequestHeader
Source: integrator.exe.2.dr String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: integrator.exe.2.dr String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: Aut2exe_x64.exe.2.dr, Au3Check.exe.2.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Aut2exe_x64.exe.2.dr, Au3Check.exe.2.dr String found in binary or memory: https://www.globalsign.com/repository/0
Installs a raw input device (often for capturing keystrokes)
Source: integrator.exe.2.dr Binary or memory string: RegisterRawInputDevices memstr_366992ae-3

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.QSPC03PC230308097.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects Neshta Author: ditekSHen
Source: 2.2.QSPC03PC230308097.exe.40a698.0.unpack, type: UNPACKEDPE Matched rule: Detects Neshta Author: ditekSHen
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Neshta Author: ditekSHen
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Neshta Author: ditekSHen
Creates files inside the system directory
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Windows\svchost.com Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_030113E0 0_2_030113E0
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_030126A8 0_2_030126A8
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_03013560 0_2_03013560
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_030108D1 0_2_030108D1
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_03011C92 0_2_03011C92
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_03011348 0_2_03011348
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_03015680 0_2_03015680
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_03015690 0_2_03015690
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_030116C9 0_2_030116C9
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0301347B 0_2_0301347B
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0301F498 0_2_0301F498
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_03015B00 0_2_03015B00
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_03015B10 0_2_03015B10
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_030158A0 0_2_030158A0
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_030158B0 0_2_030158B0
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_03014FD8 0_2_03014FD8
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_03014FE8 0_2_03014FE8
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_03015CF9 0_2_03015CF9
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_08125A90 0_2_08125A90
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0812E01A 0_2_0812E01A
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0812E028 0_2_0812E028
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_08127420 0_2_08127420
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0812EF30 0_2_0812EF30
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0812EF40 0_2_0812EF40
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_089455E0 0_2_089455E0
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_089440B7 0_2_089440B7
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_089440B8 0_2_089440B8
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0894F9C8 0_2_0894F9C8
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_08946310 0_2_08946310
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_08946301 0_2_08946301
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_08946599 0_2_08946599
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0894D570 0_2_0894D570
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0A0C3A28 0_2_0A0C3A28
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0A0CD650 0_2_0A0CD650
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0A0C9A18 0_2_0A0C9A18
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0A0CE928 0_2_0A0CE928
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0A0C79A8 0_2_0A0C79A8
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0A0C1268 0_2_0A0C1268
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0A0C1290 0_2_0A0C1290
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0A0C0040 0_2_0A0C0040
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0A0C91A8 0_2_0A0C91A8
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0A0C7568 0_2_0A0C7568
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0A0C95D2 0_2_0A0C95D2
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0A0C95E0 0_2_0A0C95E0
PE file does not import any functions
Source: lync99.exe.2.dr Static PE information: No import functions for PE file found
Source: Au3Check.exe.2.dr Static PE information: No import functions for PE file found
Source: SDXHelper.exe.2.dr Static PE information: No import functions for PE file found
Source: Aut2exe_x64.exe.2.dr Static PE information: No import functions for PE file found
Source: upx.exe.2.dr Static PE information: No import functions for PE file found
Source: AutoIt3_x64.exe.2.dr Static PE information: No import functions for PE file found
Source: MpCopyAccelerator.exe.2.dr Static PE information: No import functions for PE file found
Source: ConfigSecurityPolicy.exe.2.dr Static PE information: No import functions for PE file found
Source: Uninstall.exe.2.dr Static PE information: No import functions for PE file found
Source: aimgr.exe.2.dr Static PE information: No import functions for PE file found
Source: aimgr.exe0.2.dr Static PE information: No import functions for PE file found
Source: UcMapi.exe.2.dr Static PE information: No import functions for PE file found
Source: Wordconv.exe.2.dr Static PE information: No import functions for PE file found
Source: ai.exe.2.dr Static PE information: No import functions for PE file found
Source: msoasb.exe.2.dr Static PE information: No import functions for PE file found
Source: SciTE.exe.2.dr Static PE information: No import functions for PE file found
Source: AutoIt3Help.exe.2.dr Static PE information: No import functions for PE file found
Source: Aut2exe.exe.2.dr Static PE information: No import functions for PE file found
Source: filecompare.exe.2.dr Static PE information: No import functions for PE file found
Source: NisSrv.exe.2.dr Static PE information: No import functions for PE file found
Source: MsMpEng.exe.2.dr Static PE information: No import functions for PE file found
Source: ai.exe0.2.dr Static PE information: No import functions for PE file found
Source: chrome.exe.2.dr Static PE information: No import functions for PE file found
Source: VC_redist.x64.exe.2.dr Static PE information: No import functions for PE file found
Source: MpDlpCmd.exe.2.dr Static PE information: No import functions for PE file found
Source: msoadfsb.exe.2.dr Static PE information: No import functions for PE file found
Source: MpCmdRun.exe.2.dr Static PE information: No import functions for PE file found
Source: PerfBoost.exe.2.dr Static PE information: No import functions for PE file found
Source: integrator.exe.2.dr Static PE information: No import functions for PE file found
Source: OLicenseHeartbeat.exe.2.dr Static PE information: No import functions for PE file found
Source: IEContentService.exe.2.dr Static PE information: No import functions for PE file found
Source: msoev.exe.2.dr Static PE information: No import functions for PE file found
Source: Au3Info.exe.2.dr Static PE information: No import functions for PE file found
Source: MpCmdRun.exe0.2.dr Static PE information: No import functions for PE file found
Source: misc.exe.2.dr Static PE information: No import functions for PE file found
Source: mpextms.exe.2.dr Static PE information: No import functions for PE file found
Source: Au3Info_x64.exe.2.dr Static PE information: No import functions for PE file found
PE file overlay found
Source: lync99.exe.2.dr Static PE information: Data appended to the last section found
Source: Au3Check.exe.2.dr Static PE information: Data appended to the last section found
Source: SDXHelper.exe.2.dr Static PE information: Data appended to the last section found
Source: upx.exe.2.dr Static PE information: Data appended to the last section found
Source: MpCopyAccelerator.exe.2.dr Static PE information: Data appended to the last section found
Source: ConfigSecurityPolicy.exe.2.dr Static PE information: Data appended to the last section found
Source: Uninstall.exe.2.dr Static PE information: Data appended to the last section found
Source: aimgr.exe.2.dr Static PE information: Data appended to the last section found
Source: aimgr.exe0.2.dr Static PE information: Data appended to the last section found
Source: Wordconv.exe.2.dr Static PE information: Data appended to the last section found
Source: ai.exe.2.dr Static PE information: Data appended to the last section found
Source: msoasb.exe.2.dr Static PE information: Data appended to the last section found
Source: AutoIt3Help.exe.2.dr Static PE information: Data appended to the last section found
Source: filecompare.exe.2.dr Static PE information: Data appended to the last section found
Source: MsMpEng.exe.2.dr Static PE information: Data appended to the last section found
Source: ai.exe0.2.dr Static PE information: Data appended to the last section found
Source: chrome.exe.2.dr Static PE information: Data appended to the last section found
Source: VC_redist.x64.exe.2.dr Static PE information: Data appended to the last section found
Source: MpDlpCmd.exe.2.dr Static PE information: Data appended to the last section found
Source: PerfBoost.exe.2.dr Static PE information: Data appended to the last section found
Source: OLicenseHeartbeat.exe.2.dr Static PE information: Data appended to the last section found
Source: IEContentService.exe.2.dr Static PE information: Data appended to the last section found
Source: msoev.exe.2.dr Static PE information: Data appended to the last section found
Source: Au3Info.exe.2.dr Static PE information: Data appended to the last section found
Source: Au3Info_x64.exe.2.dr Static PE information: Data appended to the last section found
Sample file is different than original file name gathered from version info
Source: QSPC03PC230308097.exe, 00000000.00000000.1634544433.0000000000DE2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameKqqK.exeD vs QSPC03PC230308097.exe
Source: QSPC03PC230308097.exe, 00000000.00000002.1656599456.000000000A400000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs QSPC03PC230308097.exe
Source: QSPC03PC230308097.exe, 00000000.00000002.1650697177.000000000142E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs QSPC03PC230308097.exe
Source: QSPC03PC230308097.exe, 00000000.00000002.1652172604.0000000004B4E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs QSPC03PC230308097.exe
Source: QSPC03PC230308097.exe, 00000000.00000002.1652172604.0000000004B4E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename76efe27d-13bf-4b49-bffa-4e8ceb2fcd72.exe4 vs QSPC03PC230308097.exe
Source: QSPC03PC230308097.exe Binary or memory string: OriginalFilenameKqqK.exeD vs QSPC03PC230308097.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Section loaded: ntmarta.dll Jump to behavior
Uses 32bit PE files
Source: QSPC03PC230308097.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 2.2.QSPC03PC230308097.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: 2.2.QSPC03PC230308097.exe.40a698.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: QSPC03PC230308097.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: upx.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mpextms.exe.2.dr Static PE information: Section: .reloc ZLIB complexity 1.021484375
Source: Aut2exe.exe.2.dr Static PE information: Section: .rsrc ZLIB complexity 1.0071614583333333
Source: Aut2exe.exe.2.dr Static PE information: Section: .reloc ZLIB complexity 1.021484375
Source: Aut2exe_x64.exe.2.dr Static PE information: Section: .rsrc ZLIB complexity 1.0071614583333333
Source: Aut2exe_x64.exe.2.dr Static PE information: Section: .reloc ZLIB complexity 1.021484375
Source: 0.2.QSPC03PC230308097.exe.a040000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QSPC03PC230308097.exe.a040000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QSPC03PC230308097.exe.31d2338.3.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QSPC03PC230308097.exe.31d2338.3.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, YQ3No54So1seQhpPbq.cs Security API names: _0020.SetAccessControl
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, YQ3No54So1seQhpPbq.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, YQ3No54So1seQhpPbq.cs Security API names: _0020.AddAccessRule
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, AQ0H17BpUbyb4jWBs1.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, AQ0H17BpUbyb4jWBs1.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, YQ3No54So1seQhpPbq.cs Security API names: _0020.SetAccessControl
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, YQ3No54So1seQhpPbq.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, YQ3No54So1seQhpPbq.cs Security API names: _0020.AddAccessRule
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, AQ0H17BpUbyb4jWBs1.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, YQ3No54So1seQhpPbq.cs Security API names: _0020.SetAccessControl
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, YQ3No54So1seQhpPbq.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, YQ3No54So1seQhpPbq.cs Security API names: _0020.AddAccessRule
Source: 0.2.QSPC03PC230308097.exe.32175dc.6.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.QSPC03PC230308097.exe.9b30000.9.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.QSPC03PC230308097.exe.31f8404.4.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: msedge.exe0.2.dr Binary string: @g_interceptionsntdll.dllg_originals\Device\\/?/?\\??\ntdll.dllRtlInitUnicodeStringntdll.dll\KnownDllsDeriveRestrictedAppContainerSidFromAppContainerSidAndRestrictedNameuserenvchromeInstallFileslpacChromeInstallFilesmediaFoundationCdmFileslpacMediaFoundationCdmDatalpacEdgeWdagCommslpacChromeNetworkSandboxKeyg_handles_to_close
Source: OfficeScrSanBroker.exe.2.dr Binary string: \Device\Afd\WepollNtCreateFilentdll.dllNtReleaseKeyedEventRtlNtStatusToDosErrorNtDeviceIoControlFileNtWaitForKeyedEventNtCreateKeyedEventwsipcudptcppipe_ != NULLopensource\libzmq\src\channel.cpp%s (%s:%d)
Source: msedge.exe0.2.dr Binary string: \\.\\Device\DeviceApi\Device\DeviceApi\CMApintdll.dllHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXTHKEY_CURRENT_CONFIGHKEY_DYN_DATA\Device\\Device\HarddiskVolume
Source: classification engine Classification label: mal100.spre.troj.evad.winEXE@4/156@0/0
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QSPC03PC230308097.exe.log Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Mutant created: NULL
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Users\user\AppData\Local\Temp\3582-490 Jump to behavior
Source: QSPC03PC230308097.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: QSPC03PC230308097.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: integrator.exe.2.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: integrator.exe.2.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: integrator.exe.2.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: integrator.exe.2.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: QSPC03PC230308097.exe Virustotal: Detection: 47%
Source: QSPC03PC230308097.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File read: C:\Users\user\Desktop\QSPC03PC230308097.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\QSPC03PC230308097.exe "C:\Users\user\Desktop\QSPC03PC230308097.exe"
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process created: C:\Users\user\Desktop\QSPC03PC230308097.exe "C:\Users\user\Desktop\QSPC03PC230308097.exe"
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process created: C:\Users\user\Desktop\QSPC03PC230308097.exe "C:\Users\user\Desktop\QSPC03PC230308097.exe" Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: QSPC03PC230308097.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: QSPC03PC230308097.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb@@4 source: jp2launcher.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\iecontentservice.pdbb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: IEContentService.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.2.dr
Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.2.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\ie_to_edge_stub.exe.pdbOGP source: ie_to_edge_stub.exe.2.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdb source: msedge_proxy.exe.2.dr
Source: Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdateOnDemand.exe.2.dr
Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.2.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\graphics_filterloader\x-none\FLTLDR.pdb source: FLTLDR.EXE.2.dr
Source: Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdb source: MicrosoftEdgeComRegisterShellARM64.exe.2.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdbOGP source: msedge.exe.2.dr, msedge.exe0.2.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdbOGP source: msedge_proxy.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb source: OLicenseHeartbeat.exe.2.dr
Source: Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\msohtmed.pdb source: MSOHTMED.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdbbroker.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OfficeScrSanBroker.exe.2.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdb source: msedge.exe.2.dr, msedge.exe0.2.dr
Source: Binary string: D:\dbs\el\ja2\Target\x64\ship\postc2rcross\x-none\msoxmled.pdb source: MSOXMLED.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdb source: OfficeScrSanBroker.exe.2.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.2.dr
Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.2.dr
Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.2.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.2.dr
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb source: OcPubMgr.exe.2.dr
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.2.dr
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb source: jp2launcher.exe.2.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoadfsb.pdbdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoadfsb.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\onenote.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: ONENOTE.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb source: SETLANG.EXE.2.dr
Source: Binary string: D:\dbs\el\ja2\Target\x64\ship\postc2rcross\x-none\msoxmled.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSOXMLED.EXE.2.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\ie_to_edge_stub.exe.pdb source: ie_to_edge_stub.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SETLANG.EXE.2.dr
Source: Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdbh source: MicrosoftEdgeComRegisterShellARM64.exe.2.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\onenote.pdb source: ONENOTE.EXE.2.dr
Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb+ source: ai.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OLicenseHeartbeat.exe.2.dr
Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.2.dr
Source: Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.2.dr
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\iecontentservice.pdb source: IEContentService.exe.2.dr
Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb source: ai.exe.2.dr
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OcPubMgr.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SCANPST.EXE.2.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\graphics_filterloader\x-none\FLTLDR.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: FLTLDR.EXE.2.dr
Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe_x64.pdb source: Aut2exe_x64.exe.2.dr
Source: Binary string: in32.pdb source: officeappguardwin32.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.2.dr
Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\msohtmed.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSOHTMED.EXE.2.dr
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.2.dr
Source: Binary string: broker.pdb source: OfficeScrSanBroker.exe.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb source: SCANPST.EXE.2.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoadfsb.pdb source: msoadfsb.exe.2.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Unpacked PE file: 0.2.QSPC03PC230308097.exe.de0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Unpacked PE file: 0.2.QSPC03PC230308097.exe.de0000.0.unpack
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.QSPC03PC230308097.exe.a040000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.QSPC03PC230308097.exe.31d2338.3.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, YQ3No54So1seQhpPbq.cs .Net Code: Rpp3sxT2Lx System.Reflection.Assembly.Load(byte[])
Source: 0.2.QSPC03PC230308097.exe.a040000.10.raw.unpack, I1Ds3abkUA5mh3kywv.cs .Net Code: hyVW2X9uL System.Reflection.Assembly.Load(byte[])
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, YQ3No54So1seQhpPbq.cs .Net Code: Rpp3sxT2Lx System.Reflection.Assembly.Load(byte[])
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, YQ3No54So1seQhpPbq.cs .Net Code: Rpp3sxT2Lx System.Reflection.Assembly.Load(byte[])
Source: 0.2.QSPC03PC230308097.exe.31d2338.3.raw.unpack, I1Ds3abkUA5mh3kywv.cs .Net Code: hyVW2X9uL System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: QSPC03PC230308097.exe Static PE information: 0xE5FA3E0C [Mon Apr 7 04:52:28 2092 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_030176AF push ecx; iretd 0_2_030176B5
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0812A270 push ecx; iretd 0_2_0812A27E
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_08943F00 push 49800893h; iretd 0_2_089440B6
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_089440A8 push 49800893h; iretd 0_2_089440B6
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_08949BAC push cs; retf 0_2_08949BAF
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0A0C4E97 push esp; ret 0_2_0A0C4E98
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 0_2_0A0C5275 push esp; ret 0_2_0A0C5276
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_0040C07B push ecx; iretd 2_2_0040C08D
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_0040802C push 00408052h; ret 2_2_0040804A
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_004070A4 push 004070D0h; ret 2_2_004070C8
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_004041D8 push 00404204h; ret 2_2_004041FC
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_004041A0 push 004041CCh; ret 2_2_004041C4
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00404256 push 00404284h; ret 2_2_0040427C
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00404258 push 00404284h; ret 2_2_0040427C
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00404210 push 0040423Ch; ret 2_2_00404234
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_004042C8 push 004042F4h; ret 2_2_004042EC
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00404290 push 004042BCh; ret 2_2_004042B4
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00404370 push 0040439Ch; ret 2_2_00404394
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00404300 push 0040432Ch; ret 2_2_00404324
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00404338 push 00404364h; ret 2_2_0040435C
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_004043E0 push 0040440Ch; ret 2_2_00404404
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_004043A8 push 004043D4h; ret 2_2_004043CC
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00406CE0 push 00406D36h; ret 2_2_00406D2E
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00403D28 push 00403D79h; ret 2_2_00403D71
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_0040F5AB push es; ret 2_2_0040F5B4
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00403F58 push 00403F84h; ret 2_2_00403F7C
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00403F90 push 00403FBCh; ret 2_2_00403FB4
Source: QSPC03PC230308097.exe Static PE information: section name: .text entropy: 7.798294412872063
Source: VC_redist.x64.exe.2.dr Static PE information: section name: .text entropy: 7.212711697841779
Source: chrome.exe.2.dr Static PE information: section name: .text entropy: 6.834152427252378
Source: Aut2exe.exe.2.dr Static PE information: section name: .text entropy: 7.129534194721162
Source: upx.exe.2.dr Static PE information: section name: .text entropy: 7.900702078730443
Source: Uninstall.exe.2.dr Static PE information: section name: .text entropy: 6.845995468798278
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, cmj53S8csZt3XY6dRV.cs High entropy of concatenated method names: 'eRKJhslaLh', 'lDuJYh0f5t', 'QXJJ3EdRvC', 'RTMJElLuQa', 'blYJebbH1S', 'DMYJjj5NMI', 'jCuJHRWBQc', 'D9ZVIrfVel', 'EhkV8GJADB', 'O7WVgWHi8V'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, TpXh0oNQBlyJgLc5C3.cs High entropy of concatenated method names: 'PoGjqKio7a', 'DRpjBLwnKa', 'VduUQNAKJT', 'HnoU55ZR5h', 'tf8UGwWU49', 'me4U0NBJ3p', 'L9RUmWlCCp', 'EgbUMF9EQg', 'Xh1UuJbS12', 'xeXURdD5gR'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, s5Xl7vFaad5FVXhONt.cs High entropy of concatenated method names: 'y6iT7fXqee', 'rurTdIjP9i', 'sQITsbTkRr', 'iFUTa7Owhk', 'VbKTqsJXS0', 'rVhT41cFgZ', 'PF5TBUwO6h', 'fTETNKWo0E', 'BEjTnykmJI', 'B3TTXrLNCJ'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, AQ0H17BpUbyb4jWBs1.cs High entropy of concatenated method names: 'sHjeb2FLXX', 'cIFewVhNdO', 'H31ekJT1dw', 'dtTeoOBDVB', 'cJaetPiX1y', 'nMpe9SDsal', 'D1veIhvqG4', 'DJJe8fSGSb', 'hYOegA3CWx', 'NBsepo9i4v'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, YQ3No54So1seQhpPbq.cs High entropy of concatenated method names: 'y3qYCCb3Gj', 'SF9YEUTvpH', 'sqoYemuEhP', 'zcoYUKcboW', 'hLAYjedBhw', 'ib1YH8D9U6', 'un5YTiHsdc', 'hwgYKevTbw', 'FCnYLgVkXk', 'lJiYPDPwAW'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, mnnSSdz5Uqd8yUCfd1.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VNKJDHY2Sx', 'qkIJZXmawq', 'rsaJWNvWa5', 'DfBJlXbmog', 'mspJV5PP2w', 'gWXJJcSiXG', 'LvrJAus05q'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, xnpUXHDdqZfbjeqoHI.cs High entropy of concatenated method names: 'ToString', 'yibWioT18R', 'VjmW1bV0ti', 'CjNWQyWLIn', 'wNJW5M5jT0', 'TQxWGUKPaL', 'zv9W0lBl2n', 'D4AWm0D8Cm', 'AZWWMM8A6v', 'voHWumNelp'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, hPSI9mSbGZcCM6Ldy9.cs High entropy of concatenated method names: 'LJ2HCMpps9', 'uGnHeAmGpX', 'fFZHjNMONU', 'EqtHTfDZaS', 'lXIHKfjLJ6', 'wHGjtEZt5W', 'PN7j91dVji', 'uDKjIobu3Z', 'dXfj8uA9vZ', 'rS0jgFtTsr'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, oIV0SM1qBhB6s6jHai.cs High entropy of concatenated method names: 'vIRsA5dCh', 'mWwawUa03', 'c6y4SBP53', 'dh3BAWg8u', 'NtpnWAobe', 'nekX6F3E9', 's22uTx8vXfeRRfyI12', 'gsxjiInF7F80ZQtPro', 'd1gVNpP0s', 'OpTARrSEc'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, qUbqRjPH7QrggG59OrD.cs High entropy of concatenated method names: 'fVSJ7dNcir', 'V6EJdVDkcD', 'RGLJsAbJQg', 'FJlJam3CJ0', 'XFLJqs5K8T', 'sLZJ4SYvFR', 'K3vJBPoxJa', 'KOvJNdvTNS', 'Y1jJnEONKn', 'TVQJXgHw42'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, J6cR8bTNlq40kMtptA.cs High entropy of concatenated method names: 'Usrl8pIwnu', 'Y40lp3RrqM', 'owkVf42yPF', 'JxZVhCSyxy', 'zy5liq4Yjh', 'SjqlFbenSo', 'QpXlxlC995', 'XNPlb1iyVW', 'dhPlwI08J4', 'iTllksOQF1'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, BEqUxGqTXmMvtmq6dA.cs High entropy of concatenated method names: 'x6iVE45svW', 'IpEVe3ECfy', 'IZlVUqs3XM', 'JuUVjGk0EW', 'bLMVHcmEnX', 'wpCVTQoPXs', 'SphVKF5AH4', 'oOvVLCQpU6', 'qD9VPJIi7R', 'pykV2PoChh'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, I9xY27PtDGHaqQTrh58.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XyrAb1IqIZ', 'w7VAwHipBZ', 'oSGAkIfmnR', 'W1RAoEbki9', 'ykmAtkPtCL', 'ouQA9H6yvN', 'TeiAITTEDs'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, S92TI73dKkC8UZqcIe.cs High entropy of concatenated method names: 'EcxhTK3c80', 'rEZhKTiHKZ', 'zRwhPI63H2', 'RFlh28J3dE', 'QA1hZSZioY', 'AEhhWNd16A', 'dbEXSjXd76bTQu7Eqc', 'v4mUcUu1Gjby1v8RQ5', 'PM7hhFB8xZ', 'LXohYZHn1g'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, Do4G1BPPgsyM6eHqvGR.cs High entropy of concatenated method names: 'ToString', 'zpLAYjFvR4', 'CrVA3pGUxt', 'w4JACQ1IY2', 'WO7AEY62VV', 'A9sAeA3Eba', 'xSkAUny3mi', 'prYAjiRtcv', 'DYT5uL9BCXuuTRhQjnS', 'gYd9lW9iDH7akQMf5hd'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, yVGVPoVSuPbv6AWbEd.cs High entropy of concatenated method names: 'mYKZRcWBCr', 'dUkZFpCUJL', 'S1qZblJeu9', 'P52ZwmpYTV', 'oVYZ1HEt7d', 'P5cZQOQiGK', 'GRBZ5eeoSZ', 'sXVZGvdm8K', 'aQRZ0xtlDj', 'DTZZm1G1YQ'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, MXYAaceiTdSH3B2Y4e.cs High entropy of concatenated method names: 'FHJDNlS6Zr', 'h0gDnCq77G', 'j8xDSmYAKM', 'syiD16sMG1', 'rBqD5ohZpK', 'OcGDGN0VWE', 'qqaDmWa6Vk', 'QEvDMftEqp', 'ytoDRMpExj', 'bv2DiOttMs'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, oADqKGkUaYRyu9b1Sa.cs High entropy of concatenated method names: 'g6aVSHfmrD', 'bZAV1SeN9c', 'GUCVQsWwJu', 'I7CV5iHgO8', 'avAVbNaHB3', 'RrVVGIW8iY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, BFNdCoIqsUh76kjhGf.cs High entropy of concatenated method names: 'Dispose', 'aErhg9YINI', 'F6br1fIuRD', 'VPm669cxus', 'gmHhpTl3Zm', 'XVshzcs4n1', 'ProcessDialogKey', 'oUFrfO6e6o', 'i60rhYe5yc', 'IZ5rrLhsRk'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, cXZFcOUmZWwIo86LW1.cs High entropy of concatenated method names: 'AOKUaIT086', 'D6SU4L2sZv', 'FpHUNIisW9', 'c8XUnB2Pon', 'mtVUZp2Bw1', 'bibUWWkqQw', 'Uw5Ul3G9In', 'i9DUVdSCfu', 'LCyUJXg2uh', 'J3oUABWgYI'
Source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, Xuk8CuiJPjiclIovj4.cs High entropy of concatenated method names: 'aFblPN3Rm8', 'L8Ul2uDsJc', 'ToString', 'xIVlEihTtU', 'wrvleDdFjx', 'kpalUBK1Dx', 'zAoljFoNIk', 'CwxlHCVVwQ', 'N2tlTPNcDj', 'Q4mlKWswVg'
Source: 0.2.QSPC03PC230308097.exe.a040000.10.raw.unpack, R87QTajabri3WprdxA.cs High entropy of concatenated method names: 'SoFXXYTXBr', 'VXePqW7LxoGttIrQMM', 'VJKqh4rSy8UE5CPs2d', 'w7T6rNymrPsVe05ZjX', 'Qa5usbZfG', 'UsaN6r2JI', 'Dispose', 'xdE70OV1R', 'WKG8Nh2TLfQX7DMBJq', 'FCyDZoO16YhsTUYx7V'
Source: 0.2.QSPC03PC230308097.exe.a040000.10.raw.unpack, I1Ds3abkUA5mh3kywv.cs High entropy of concatenated method names: 'I6pnpGMEc', 'pUPSoKeTB', 'w3OonGh86', 'S3aaCOvyF', 'MagvcleIh', 'hvmph4XfL', 'eXtqEM8mO', 'RC38AH4Bb', 'hyVW2X9uL', 'AbHynsT40'
Source: 0.2.QSPC03PC230308097.exe.a040000.10.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs High entropy of concatenated method names: 'sRJJ4PC1lt6MgSX9oLN', 'qCuPUJCYMdGJYrcKdqj', 'T9OMNMJAsS', 'KH71sVC96gudd8OjhqS', 'qSoaq8CnboJYXbPCm1H', 'XtbiVDCeUWVlZdG2V08', 'D2TFRiCIaLSytg31rTE', 'MtxGm4CM57HGXUKQMIN', 'RgtTUJcyZL', 'eFmMT9Tlnp'
Source: 0.2.QSPC03PC230308097.exe.a040000.10.raw.unpack, QEHxtuXFnnkJABhbAo.cs High entropy of concatenated method names: 'Geosg7Hdn', 'wwIBOnTmd', 'siWV4YECO', 'k32FNitut', 'cUAG5mh3k', 'JwvHwu9Dw', 'cr1hyajqeLqaQ4F9dK', 'Pgut89mcfAIn6Hs5oN', 'Dispose', 'MoveNext'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, cmj53S8csZt3XY6dRV.cs High entropy of concatenated method names: 'eRKJhslaLh', 'lDuJYh0f5t', 'QXJJ3EdRvC', 'RTMJElLuQa', 'blYJebbH1S', 'DMYJjj5NMI', 'jCuJHRWBQc', 'D9ZVIrfVel', 'EhkV8GJADB', 'O7WVgWHi8V'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, TpXh0oNQBlyJgLc5C3.cs High entropy of concatenated method names: 'PoGjqKio7a', 'DRpjBLwnKa', 'VduUQNAKJT', 'HnoU55ZR5h', 'tf8UGwWU49', 'me4U0NBJ3p', 'L9RUmWlCCp', 'EgbUMF9EQg', 'Xh1UuJbS12', 'xeXURdD5gR'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, s5Xl7vFaad5FVXhONt.cs High entropy of concatenated method names: 'y6iT7fXqee', 'rurTdIjP9i', 'sQITsbTkRr', 'iFUTa7Owhk', 'VbKTqsJXS0', 'rVhT41cFgZ', 'PF5TBUwO6h', 'fTETNKWo0E', 'BEjTnykmJI', 'B3TTXrLNCJ'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, AQ0H17BpUbyb4jWBs1.cs High entropy of concatenated method names: 'sHjeb2FLXX', 'cIFewVhNdO', 'H31ekJT1dw', 'dtTeoOBDVB', 'cJaetPiX1y', 'nMpe9SDsal', 'D1veIhvqG4', 'DJJe8fSGSb', 'hYOegA3CWx', 'NBsepo9i4v'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, YQ3No54So1seQhpPbq.cs High entropy of concatenated method names: 'y3qYCCb3Gj', 'SF9YEUTvpH', 'sqoYemuEhP', 'zcoYUKcboW', 'hLAYjedBhw', 'ib1YH8D9U6', 'un5YTiHsdc', 'hwgYKevTbw', 'FCnYLgVkXk', 'lJiYPDPwAW'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, mnnSSdz5Uqd8yUCfd1.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VNKJDHY2Sx', 'qkIJZXmawq', 'rsaJWNvWa5', 'DfBJlXbmog', 'mspJV5PP2w', 'gWXJJcSiXG', 'LvrJAus05q'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, xnpUXHDdqZfbjeqoHI.cs High entropy of concatenated method names: 'ToString', 'yibWioT18R', 'VjmW1bV0ti', 'CjNWQyWLIn', 'wNJW5M5jT0', 'TQxWGUKPaL', 'zv9W0lBl2n', 'D4AWm0D8Cm', 'AZWWMM8A6v', 'voHWumNelp'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, hPSI9mSbGZcCM6Ldy9.cs High entropy of concatenated method names: 'LJ2HCMpps9', 'uGnHeAmGpX', 'fFZHjNMONU', 'EqtHTfDZaS', 'lXIHKfjLJ6', 'wHGjtEZt5W', 'PN7j91dVji', 'uDKjIobu3Z', 'dXfj8uA9vZ', 'rS0jgFtTsr'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, oIV0SM1qBhB6s6jHai.cs High entropy of concatenated method names: 'vIRsA5dCh', 'mWwawUa03', 'c6y4SBP53', 'dh3BAWg8u', 'NtpnWAobe', 'nekX6F3E9', 's22uTx8vXfeRRfyI12', 'gsxjiInF7F80ZQtPro', 'd1gVNpP0s', 'OpTARrSEc'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, qUbqRjPH7QrggG59OrD.cs High entropy of concatenated method names: 'fVSJ7dNcir', 'V6EJdVDkcD', 'RGLJsAbJQg', 'FJlJam3CJ0', 'XFLJqs5K8T', 'sLZJ4SYvFR', 'K3vJBPoxJa', 'KOvJNdvTNS', 'Y1jJnEONKn', 'TVQJXgHw42'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, J6cR8bTNlq40kMtptA.cs High entropy of concatenated method names: 'Usrl8pIwnu', 'Y40lp3RrqM', 'owkVf42yPF', 'JxZVhCSyxy', 'zy5liq4Yjh', 'SjqlFbenSo', 'QpXlxlC995', 'XNPlb1iyVW', 'dhPlwI08J4', 'iTllksOQF1'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, BEqUxGqTXmMvtmq6dA.cs High entropy of concatenated method names: 'x6iVE45svW', 'IpEVe3ECfy', 'IZlVUqs3XM', 'JuUVjGk0EW', 'bLMVHcmEnX', 'wpCVTQoPXs', 'SphVKF5AH4', 'oOvVLCQpU6', 'qD9VPJIi7R', 'pykV2PoChh'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, I9xY27PtDGHaqQTrh58.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XyrAb1IqIZ', 'w7VAwHipBZ', 'oSGAkIfmnR', 'W1RAoEbki9', 'ykmAtkPtCL', 'ouQA9H6yvN', 'TeiAITTEDs'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, S92TI73dKkC8UZqcIe.cs High entropy of concatenated method names: 'EcxhTK3c80', 'rEZhKTiHKZ', 'zRwhPI63H2', 'RFlh28J3dE', 'QA1hZSZioY', 'AEhhWNd16A', 'dbEXSjXd76bTQu7Eqc', 'v4mUcUu1Gjby1v8RQ5', 'PM7hhFB8xZ', 'LXohYZHn1g'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, Do4G1BPPgsyM6eHqvGR.cs High entropy of concatenated method names: 'ToString', 'zpLAYjFvR4', 'CrVA3pGUxt', 'w4JACQ1IY2', 'WO7AEY62VV', 'A9sAeA3Eba', 'xSkAUny3mi', 'prYAjiRtcv', 'DYT5uL9BCXuuTRhQjnS', 'gYd9lW9iDH7akQMf5hd'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, yVGVPoVSuPbv6AWbEd.cs High entropy of concatenated method names: 'mYKZRcWBCr', 'dUkZFpCUJL', 'S1qZblJeu9', 'P52ZwmpYTV', 'oVYZ1HEt7d', 'P5cZQOQiGK', 'GRBZ5eeoSZ', 'sXVZGvdm8K', 'aQRZ0xtlDj', 'DTZZm1G1YQ'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, MXYAaceiTdSH3B2Y4e.cs High entropy of concatenated method names: 'FHJDNlS6Zr', 'h0gDnCq77G', 'j8xDSmYAKM', 'syiD16sMG1', 'rBqD5ohZpK', 'OcGDGN0VWE', 'qqaDmWa6Vk', 'QEvDMftEqp', 'ytoDRMpExj', 'bv2DiOttMs'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, oADqKGkUaYRyu9b1Sa.cs High entropy of concatenated method names: 'g6aVSHfmrD', 'bZAV1SeN9c', 'GUCVQsWwJu', 'I7CV5iHgO8', 'avAVbNaHB3', 'RrVVGIW8iY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, BFNdCoIqsUh76kjhGf.cs High entropy of concatenated method names: 'Dispose', 'aErhg9YINI', 'F6br1fIuRD', 'VPm669cxus', 'gmHhpTl3Zm', 'XVshzcs4n1', 'ProcessDialogKey', 'oUFrfO6e6o', 'i60rhYe5yc', 'IZ5rrLhsRk'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, cXZFcOUmZWwIo86LW1.cs High entropy of concatenated method names: 'AOKUaIT086', 'D6SU4L2sZv', 'FpHUNIisW9', 'c8XUnB2Pon', 'mtVUZp2Bw1', 'bibUWWkqQw', 'Uw5Ul3G9In', 'i9DUVdSCfu', 'LCyUJXg2uh', 'J3oUABWgYI'
Source: 0.2.QSPC03PC230308097.exe.a400000.11.raw.unpack, Xuk8CuiJPjiclIovj4.cs High entropy of concatenated method names: 'aFblPN3Rm8', 'L8Ul2uDsJc', 'ToString', 'xIVlEihTtU', 'wrvleDdFjx', 'kpalUBK1Dx', 'zAoljFoNIk', 'CwxlHCVVwQ', 'N2tlTPNcDj', 'Q4mlKWswVg'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, cmj53S8csZt3XY6dRV.cs High entropy of concatenated method names: 'eRKJhslaLh', 'lDuJYh0f5t', 'QXJJ3EdRvC', 'RTMJElLuQa', 'blYJebbH1S', 'DMYJjj5NMI', 'jCuJHRWBQc', 'D9ZVIrfVel', 'EhkV8GJADB', 'O7WVgWHi8V'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, TpXh0oNQBlyJgLc5C3.cs High entropy of concatenated method names: 'PoGjqKio7a', 'DRpjBLwnKa', 'VduUQNAKJT', 'HnoU55ZR5h', 'tf8UGwWU49', 'me4U0NBJ3p', 'L9RUmWlCCp', 'EgbUMF9EQg', 'Xh1UuJbS12', 'xeXURdD5gR'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, s5Xl7vFaad5FVXhONt.cs High entropy of concatenated method names: 'y6iT7fXqee', 'rurTdIjP9i', 'sQITsbTkRr', 'iFUTa7Owhk', 'VbKTqsJXS0', 'rVhT41cFgZ', 'PF5TBUwO6h', 'fTETNKWo0E', 'BEjTnykmJI', 'B3TTXrLNCJ'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, AQ0H17BpUbyb4jWBs1.cs High entropy of concatenated method names: 'sHjeb2FLXX', 'cIFewVhNdO', 'H31ekJT1dw', 'dtTeoOBDVB', 'cJaetPiX1y', 'nMpe9SDsal', 'D1veIhvqG4', 'DJJe8fSGSb', 'hYOegA3CWx', 'NBsepo9i4v'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, YQ3No54So1seQhpPbq.cs High entropy of concatenated method names: 'y3qYCCb3Gj', 'SF9YEUTvpH', 'sqoYemuEhP', 'zcoYUKcboW', 'hLAYjedBhw', 'ib1YH8D9U6', 'un5YTiHsdc', 'hwgYKevTbw', 'FCnYLgVkXk', 'lJiYPDPwAW'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, mnnSSdz5Uqd8yUCfd1.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VNKJDHY2Sx', 'qkIJZXmawq', 'rsaJWNvWa5', 'DfBJlXbmog', 'mspJV5PP2w', 'gWXJJcSiXG', 'LvrJAus05q'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, xnpUXHDdqZfbjeqoHI.cs High entropy of concatenated method names: 'ToString', 'yibWioT18R', 'VjmW1bV0ti', 'CjNWQyWLIn', 'wNJW5M5jT0', 'TQxWGUKPaL', 'zv9W0lBl2n', 'D4AWm0D8Cm', 'AZWWMM8A6v', 'voHWumNelp'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, hPSI9mSbGZcCM6Ldy9.cs High entropy of concatenated method names: 'LJ2HCMpps9', 'uGnHeAmGpX', 'fFZHjNMONU', 'EqtHTfDZaS', 'lXIHKfjLJ6', 'wHGjtEZt5W', 'PN7j91dVji', 'uDKjIobu3Z', 'dXfj8uA9vZ', 'rS0jgFtTsr'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, oIV0SM1qBhB6s6jHai.cs High entropy of concatenated method names: 'vIRsA5dCh', 'mWwawUa03', 'c6y4SBP53', 'dh3BAWg8u', 'NtpnWAobe', 'nekX6F3E9', 's22uTx8vXfeRRfyI12', 'gsxjiInF7F80ZQtPro', 'd1gVNpP0s', 'OpTARrSEc'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, qUbqRjPH7QrggG59OrD.cs High entropy of concatenated method names: 'fVSJ7dNcir', 'V6EJdVDkcD', 'RGLJsAbJQg', 'FJlJam3CJ0', 'XFLJqs5K8T', 'sLZJ4SYvFR', 'K3vJBPoxJa', 'KOvJNdvTNS', 'Y1jJnEONKn', 'TVQJXgHw42'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, J6cR8bTNlq40kMtptA.cs High entropy of concatenated method names: 'Usrl8pIwnu', 'Y40lp3RrqM', 'owkVf42yPF', 'JxZVhCSyxy', 'zy5liq4Yjh', 'SjqlFbenSo', 'QpXlxlC995', 'XNPlb1iyVW', 'dhPlwI08J4', 'iTllksOQF1'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, BEqUxGqTXmMvtmq6dA.cs High entropy of concatenated method names: 'x6iVE45svW', 'IpEVe3ECfy', 'IZlVUqs3XM', 'JuUVjGk0EW', 'bLMVHcmEnX', 'wpCVTQoPXs', 'SphVKF5AH4', 'oOvVLCQpU6', 'qD9VPJIi7R', 'pykV2PoChh'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, I9xY27PtDGHaqQTrh58.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XyrAb1IqIZ', 'w7VAwHipBZ', 'oSGAkIfmnR', 'W1RAoEbki9', 'ykmAtkPtCL', 'ouQA9H6yvN', 'TeiAITTEDs'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, S92TI73dKkC8UZqcIe.cs High entropy of concatenated method names: 'EcxhTK3c80', 'rEZhKTiHKZ', 'zRwhPI63H2', 'RFlh28J3dE', 'QA1hZSZioY', 'AEhhWNd16A', 'dbEXSjXd76bTQu7Eqc', 'v4mUcUu1Gjby1v8RQ5', 'PM7hhFB8xZ', 'LXohYZHn1g'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, Do4G1BPPgsyM6eHqvGR.cs High entropy of concatenated method names: 'ToString', 'zpLAYjFvR4', 'CrVA3pGUxt', 'w4JACQ1IY2', 'WO7AEY62VV', 'A9sAeA3Eba', 'xSkAUny3mi', 'prYAjiRtcv', 'DYT5uL9BCXuuTRhQjnS', 'gYd9lW9iDH7akQMf5hd'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, yVGVPoVSuPbv6AWbEd.cs High entropy of concatenated method names: 'mYKZRcWBCr', 'dUkZFpCUJL', 'S1qZblJeu9', 'P52ZwmpYTV', 'oVYZ1HEt7d', 'P5cZQOQiGK', 'GRBZ5eeoSZ', 'sXVZGvdm8K', 'aQRZ0xtlDj', 'DTZZm1G1YQ'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, MXYAaceiTdSH3B2Y4e.cs High entropy of concatenated method names: 'FHJDNlS6Zr', 'h0gDnCq77G', 'j8xDSmYAKM', 'syiD16sMG1', 'rBqD5ohZpK', 'OcGDGN0VWE', 'qqaDmWa6Vk', 'QEvDMftEqp', 'ytoDRMpExj', 'bv2DiOttMs'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, oADqKGkUaYRyu9b1Sa.cs High entropy of concatenated method names: 'g6aVSHfmrD', 'bZAV1SeN9c', 'GUCVQsWwJu', 'I7CV5iHgO8', 'avAVbNaHB3', 'RrVVGIW8iY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, BFNdCoIqsUh76kjhGf.cs High entropy of concatenated method names: 'Dispose', 'aErhg9YINI', 'F6br1fIuRD', 'VPm669cxus', 'gmHhpTl3Zm', 'XVshzcs4n1', 'ProcessDialogKey', 'oUFrfO6e6o', 'i60rhYe5yc', 'IZ5rrLhsRk'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, cXZFcOUmZWwIo86LW1.cs High entropy of concatenated method names: 'AOKUaIT086', 'D6SU4L2sZv', 'FpHUNIisW9', 'c8XUnB2Pon', 'mtVUZp2Bw1', 'bibUWWkqQw', 'Uw5Ul3G9In', 'i9DUVdSCfu', 'LCyUJXg2uh', 'J3oUABWgYI'
Source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, Xuk8CuiJPjiclIovj4.cs High entropy of concatenated method names: 'aFblPN3Rm8', 'L8Ul2uDsJc', 'ToString', 'xIVlEihTtU', 'wrvleDdFjx', 'kpalUBK1Dx', 'zAoljFoNIk', 'CwxlHCVVwQ', 'N2tlTPNcDj', 'Q4mlKWswVg'
Source: 0.2.QSPC03PC230308097.exe.31d2338.3.raw.unpack, R87QTajabri3WprdxA.cs High entropy of concatenated method names: 'SoFXXYTXBr', 'VXePqW7LxoGttIrQMM', 'VJKqh4rSy8UE5CPs2d', 'w7T6rNymrPsVe05ZjX', 'Qa5usbZfG', 'UsaN6r2JI', 'Dispose', 'xdE70OV1R', 'WKG8Nh2TLfQX7DMBJq', 'FCyDZoO16YhsTUYx7V'
Source: 0.2.QSPC03PC230308097.exe.31d2338.3.raw.unpack, I1Ds3abkUA5mh3kywv.cs High entropy of concatenated method names: 'I6pnpGMEc', 'pUPSoKeTB', 'w3OonGh86', 'S3aaCOvyF', 'MagvcleIh', 'hvmph4XfL', 'eXtqEM8mO', 'RC38AH4Bb', 'hyVW2X9uL', 'AbHynsT40'
Source: 0.2.QSPC03PC230308097.exe.31d2338.3.raw.unpack, AJO8kvyDr8qxYWB5Qt.cs High entropy of concatenated method names: 'sRJJ4PC1lt6MgSX9oLN', 'qCuPUJCYMdGJYrcKdqj', 'T9OMNMJAsS', 'KH71sVC96gudd8OjhqS', 'qSoaq8CnboJYXbPCm1H', 'XtbiVDCeUWVlZdG2V08', 'D2TFRiCIaLSytg31rTE', 'MtxGm4CM57HGXUKQMIN', 'RgtTUJcyZL', 'eFmMT9Tlnp'
Source: 0.2.QSPC03PC230308097.exe.31d2338.3.raw.unpack, QEHxtuXFnnkJABhbAo.cs High entropy of concatenated method names: 'Geosg7Hdn', 'wwIBOnTmd', 'siWV4YECO', 'k32FNitut', 'cUAG5mh3k', 'JwvHwu9Dw', 'cr1hyajqeLqaQ4F9dK', 'Pgut89mcfAIn6Hs5oN', 'Dispose', 'MoveNext'

Persistence and Installation Behavior
barindex
Yara detected Neshta
Source: Yara match File source: 2.2.QSPC03PC230308097.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.QSPC03PC230308097.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1651215137.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2053230169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1652172604.0000000004B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QSPC03PC230308097.exe PID: 6388, type: MEMORYSTR
Drops PE files with a suspicious file extension
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Windows\svchost.com Jump to dropped file
Drops executable to a common third party application directory
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Windows\svchost.com Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\Windows\svchost.com Jump to dropped file

Boot Survival
barindex
Yara detected Neshta
Source: Yara match File source: 2.2.QSPC03PC230308097.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.QSPC03PC230308097.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1651215137.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2053230169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1652172604.0000000004B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QSPC03PC230308097.exe PID: 6388, type: MEMORYSTR
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: QSPC03PC230308097.exe PID: 6900, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Memory allocated: 2FD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Memory allocated: 3170000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Memory allocated: 5170000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Memory allocated: 5800000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Memory allocated: 6800000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Memory allocated: 6930000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Memory allocated: 7930000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Memory allocated: A890000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Memory allocated: B890000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Memory allocated: BD20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Memory allocated: CD20000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Windows\svchost.com Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to dropped file
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe TID: 416 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00405080 FindFirstFileA,FindNextFileA,FindClose, 2_2_00405080
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00405634 FindFirstFileA,FindNextFileA,FindClose, 2_2_00405634
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00404F6C FindFirstFileA,FindClose, 2_2_00404F6C
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_004056A7 FindFirstFileA,FindNextFileA,FindClose, 2_2_004056A7
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA, 2_2_00406D40
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\ Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\ Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\ Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\ Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\ Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\ Jump to behavior
Source: QSPC03PC230308097.exe, 00000000.00000002.1652172604.0000000004B4E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: z5uEeReXtc5VMCiWX2R8F3avOCP9x00YNdK4
Source: QSPC03PC230308097.exe, 00000000.00000002.1652172604.0000000004B4E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: z5uEeReXtc5VMCiWX2
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Memory written: C:\Users\user\Desktop\QSPC03PC230308097.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Process created: C:\Users\user\Desktop\QSPC03PC230308097.exe "C:\Users\user\Desktop\QSPC03PC230308097.exe" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: GetLocaleInfoA, 2_2_00403CB4
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Users\user\Desktop\QSPC03PC230308097.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_004057D8 GetLocalTime, 2_2_004057D8
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Code function: 2_2_00403D7D GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId, 2_2_00403D7D
Source: C:\Users\user\Desktop\QSPC03PC230308097.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1652172604.0000000004B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QSPC03PC230308097.exe PID: 6900, type: MEMORYSTR
Yara detected Neshta
Source: Yara match File source: 2.2.QSPC03PC230308097.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.QSPC03PC230308097.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1651215137.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2053230169.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1652172604.0000000004B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QSPC03PC230308097.exe PID: 6388, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.a040000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.31d2338.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.31d2338.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.a040000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1656361976.000000000A040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1651215137.000000000317A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Credential Stealer
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1652172604.0000000004B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QSPC03PC230308097.exe PID: 6900, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.4e01aa0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.4d7b880.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1652172604.0000000004B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QSPC03PC230308097.exe PID: 6900, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.a040000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.31d2338.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.31d2338.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QSPC03PC230308097.exe.a040000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1656361976.000000000A040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1651215137.000000000317A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1417462 Sample: QSPC03PC230308097.exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 100 21 Found malware configuration 2->21 23 Malicious sample detected (through community Yara rule) 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 10 other signatures 2->27 6 QSPC03PC230308097.exe 3 2->6         started        process3 signatures4 29 Detected unpacking (changes PE section rights) 6->29 31 Detected unpacking (overwrites its own PE header) 6->31 33 Drops PE files with a suspicious file extension 6->33 35 2 other signatures 6->35 9 QSPC03PC230308097.exe 5 6->9         started        process5 file6 13 C:\Windows\svchost.com, PE32 9->13 dropped 15 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 9->15 dropped 17 C:\ProgramData\...\VC_redist.x64.exe, PE32 9->17 dropped 19 149 other malicious files 9->19 dropped 37 Creates an undocumented autostart registry key 9->37 39 Drops executable to a common third party application directory 9->39 41 Infects executable files (exe, dll, sys, html) 9->41 signatures7
No contacted IP infos