Analysis Report vi0EwpbUht

Overview

General Information

Sample Name:	vi0EwpbUht (renamed file extension from none to exe)
Analysis ID:	432848
MD5:	f478c15f5affd8359762b8c6b0e913a4
SHA1:	05b36949abd35a132488158f38149c7b582c8d3a
SHA256:	e355ac0da4996011e91f28b11e03c44d54606ae4ceb0bc4f6d0a0edc4b3410ed
Tags:	exeneshta
Infos:
Most interesting Screenshot:

Detection

FormBook Neshta

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Yara detected Neshta

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Drops PE files with a suspicious file extension

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample is not signed and drops a device driver

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Uses netstat to query active network connections and open ports

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: vi0EwpbUht.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Neshta.A

Found malware configuration

Source: 00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.personalizedyardsigns.com/xkcp/"], "decoy": ["plcnotary.com", "pennywisebusiness.net", "negatzone.com", "hangclinic.com", "choice-home-warranty-review.com", "oslojistas.com", "keguanchina.com", "amazoncarbonhub.com", "myworkaccident.com", "shipu299.com", "henselectrlc.com", "store55588.com", "11ncbee.net", "reissantorini.com", "karta.gold", "goldenstatesurplus.net", "soslifefood.com", "bis-adapter.net", "harrywalia.com", "myboutiqueflowers.com", "rareearthmetalrefining.com", "triathletestrength.com", "jumtix.xyz", "shropshirepaddleboarding.com", "promocaomercadolivre.com", "tetratechinstruction.com", "emergingleadership.coach", "aresponsibleperson.net", "gethesspp.com", "zicanotes.com", "lance2375problems.com", "sxkeyuanda.com", "hotradio1.com", "dcsingersforhire.com", "shophigh5.com", "heaustralia.site", "bandlaser.com", "pucksbar.net", "financialdy.com", "digech.com", "livablelandbuyer.com", "bccluster.com", "xn--o39ay81ahtag62aba.com", "petalumaroofing.com", "handmadebyclydelle.com", "thecanineharness.com", "83twistleton.com", "shardulwakade.net", "shopcovetandcrave.com", "babateeconsult.com", "plancougar.com", "buyketoeasy.com", "dccustomcreation.com", "nutellajam.com", "kaiocarvalho.com", "treschicbeautyloft.com", "gofornye.com", "agileintelligence.coach", "poetryartists.com", "teailn.com", "letsreflectonline.net", "uggoutletosterreich.com", "metododgl.com", "centurygreatpath.info"]}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	ReversingLabs: Detection: 95%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	ReversingLabs: Detection: 95%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	ReversingLabs: Detection: 95%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Metadefender: Detection: 91%	Perma Link
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	ReversingLabs: Detection: 100%

Multi AV Scanner detection for submitted file

Source: vi0EwpbUht.exe	Metadefender: Detection: 91%			Perma Link
Source: vi0EwpbUht.exe	ReversingLabs: Detection: 100%

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.366394202.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.330792786.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.561947063.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.337333387.00000000030E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.476443406.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.583791547.0000000002350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.475830618.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.559844329.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.373308889.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.584337141.0000000002680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.561291954.0000000000930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.elxhan.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.elxhan.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vi0EwpbUht.exe.30e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.elxhan.exe.22b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.elxhan.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vi0EwpbUht.exe.30e0000.4.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: vi0EwpbUht.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.vi0EwpbUht.exe.400000.0.unpack	Avira: Label: W32/Neshta.A
Source: 7.1.elxhan.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.2.NETSTAT.EXE.292ed78.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.2.svchost.com.400000.0.unpack	Avira: Label: W32/Neshta.A
Source: 3.1.vi0EwpbUht.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.elxhan.exe.22b0000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.vi0EwpbUht.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.elxhan.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.2.NETSTAT.EXE.328f834.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.2.vi0EwpbUht.exe.2ff0000.3.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.0.svchost.com.400000.0.unpack	Avira: Label: W32/Neshta.A
Source: 2.2.vi0EwpbUht.exe.30e0000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.vi0EwpbUht.exe.400000.0.unpack	Avira: Label: W32/Neshta.A
Source: 4.0.explorer.exe.1183f834.74.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Uses 32bit PE files

Source: vi0EwpbUht.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source:	Binary string: netstat.pdbGCTL source: vi0EwpbUht.exe, 00000003.00000002.480933192.0000000002A20000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.439100550.0000000007CA0000.00000002.00000001.sdmp
Source:	Binary string: netstat.pdb source: vi0EwpbUht.exe, 00000003.00000002.480933192.0000000002A20000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: vi0EwpbUht.exe, 00000002.00000003.327241678.0000000003140000.00000004.00000001.sdmp, vi0EwpbUht.exe, 00000003.00000002.462415723.00000000009A0000.00000040.00000001.sdmp, elxhan.exe, 00000007.00000002.565127229.0000000000B0F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vi0EwpbUht.exe, elxhan.exe, NETSTAT.EXE, help.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.439100550.0000000007CA0000.00000002.00000001.sdmp

Spreading:

Yara detected Neshta

Source: Yara match	File source: 00000005.00000002.566051764.0000000000409000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.582330780.0000000000409000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vi0EwpbUht.exe PID: 7096, type: MEMORY
Source: Yara match	File source: 1.2.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.com.400000.0.unpack, type: UNPACKEDPE

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	System file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	System file written: C:\Users\user\AppData\Local\Temp\CR_0E027.tmp\setup.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	System file written: C:\ProgramData\Adobe\ARM\S\1742\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpuser.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	System file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\microsoft shared\Source user\OSE.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	System file written: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	System file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	System file written: C:\ProgramData\Adobe\ARM\S\11357\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	System file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	System file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	System file written: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Jump to behavior

Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_00405080 FindFirstFileA,FindNextFileA,FindClose,	1_2_00405080
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_00405634 FindFirstFileA,FindNextFileA,FindClose,	1_2_00405634
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_00404F6C FindFirstFileA,FindClose,	1_2_00404F6C
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040F0C4 FindFirstFileA,FindNextFileA,FindClose,	1_2_0040F0C4
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040F0CC FindFirstFileA,FindNextFileA,FindClose,	1_2_0040F0CC
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040F13F FindFirstFileA,FindNextFileA,FindClose,	1_2_0040F13F
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,	1_2_004056A7
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040EA04 FindFirstFileA,FindClose,	1_2_0040EA04
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040EB16 FindFirstFileA,FindClose,	1_2_0040EB16
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040EB18 FindFirstFileA,FindNextFileA,FindClose,	1_2_0040EB18
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 2_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	2_2_00405302
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 2_2_00405CD8 FindFirstFileA,FindClose,	2_2_00405CD8
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 2_2_0040263E FindFirstFileA,	2_2_0040263E
Source: C:\Windows\svchost.com	Code function: 5_2_00405634 FindFirstFileA,FindNextFileA,FindClose,	5_2_00405634
Source: C:\Windows\svchost.com	Code function: 5_2_00404F6C FindFirstFileA,FindClose,	5_2_00404F6C
Source: C:\Windows\svchost.com	Code function: 5_2_0040F0C4 FindFirstFileA,FindNextFileA,FindClose,	5_2_0040F0C4
Source: C:\Windows\svchost.com	Code function: 5_2_0040F0CC FindFirstFileA,FindNextFileA,FindClose,	5_2_0040F0CC
Source: C:\Windows\svchost.com	Code function: 5_2_00405080 FindFirstFileA,FindNextFileA,FindClose,	5_2_00405080
Source: C:\Windows\svchost.com	Code function: 5_2_0040F13F FindFirstFileA,FindNextFileA,FindClose,	5_2_0040F13F
Source: C:\Windows\svchost.com	Code function: 5_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,	5_2_004056A7
Source: C:\Windows\svchost.com	Code function: 5_2_0040EA04 FindFirstFileA,FindClose,	5_2_0040EA04
Source: C:\Windows\svchost.com	Code function: 5_2_0040EB16 FindFirstFileA,FindClose,	5_2_0040EB16
Source: C:\Windows\svchost.com	Code function: 5_2_0040EB18 FindFirstFileA,FindNextFileA,FindClose,	5_2_0040EB18

Source: C:\Users\user\Desktop\vi0EwpbUht.exe

Code function: 1_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,

1_2_00406D40

Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File opened: C:\Documents and Settings\All Users\	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File opened: C:\Documents and Settings\All Users\Application Data\	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\11357\	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\	Jump to behavior

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.personalizedyardsigns.com/xkcp/

Uses netstat to query active network connections and open ports

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /xkcp/?6lS0=KFNDChppd2b&f2JL=SStynINVP5NCGh+2RJURYBVhcUSlPPhp5T3GlTJ0osry6C6vZ7yRpdLEbpP0cRdR/S5JjqUiIQ== HTTP/1.1Host: www.agileintelligence.coachConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

Source: unknown

DNS traffic detected: queries for: www.agileintelligence.coach

Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: vi0EwpbUht.exe, vi0EwpbUht.exe, 00000002.00000002.335758150.0000000000409000.00000004.00020000.sdmp, vi0EwpbUht.exe, 00000003.00000000.322686039.0000000000409000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vi0EwpbUht.exe, 00000002.00000002.335758150.0000000000409000.00000004.00020000.sdmp, vi0EwpbUht.exe, 00000003.00000000.322686039.0000000000409000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.337120885.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe

Code function: 2_2_00404EB9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

2_2_00404EB9

Installs a raw input device (often for capturing keystrokes)

Source: vi0EwpbUht.exe, 00000001.00000003.460371414.0000000002390000.00000004.00000001.sdmp

Binary or memory string: _WinAPI_RegisterRawInputDevices.au3

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.366394202.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.330792786.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.561947063.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.337333387.00000000030E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.476443406.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.583791547.0000000002350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.475830618.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.559844329.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.373308889.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.584337141.0000000002680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.561291954.0000000000930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.elxhan.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.elxhan.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vi0EwpbUht.exe.30e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.elxhan.exe.22b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.elxhan.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vi0EwpbUht.exe.30e0000.4.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000001.366394202.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000001.366394202.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000001.330792786.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000001.330792786.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.561947063.00000000009B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.561947063.00000000009B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.337333387.00000000030E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.337333387.00000000030E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.476443406.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.476443406.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.583791547.0000000002350000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.583791547.0000000002350000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.475830618.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.475830618.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.559844329.0000000000E70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.559844329.0000000000E70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.373308889.00000000022B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.373308889.00000000022B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.584337141.0000000002680000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.584337141.0000000002680000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.561291954.0000000000930000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.561291954.0000000000930000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.1.elxhan.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.1.elxhan.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.elxhan.exe.22b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.elxhan.exe.22b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.1.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.1.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.vi0EwpbUht.exe.30e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.vi0EwpbUht.exe.30e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.elxhan.exe.22b0000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.elxhan.exe.22b0000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.elxhan.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.elxhan.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.vi0EwpbUht.exe.30e0000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.vi0EwpbUht.exe.30e0000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_0041A050 NtClose,	3_2_0041A050
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_0041A100 NtAllocateVirtualMemory,	3_2_0041A100
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00419F20 NtCreateFile,	3_2_00419F20
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00419FD0 NtReadFile,	3_2_00419FD0
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_0041A04A NtClose,	3_2_0041A04A
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00419F74 NtCreateFile,	3_2_00419F74
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00419F1A NtCreateFile,	3_2_00419F1A
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00419FCB NtReadFile,	3_2_00419FCB
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A098F0 NtReadVirtualMemory,LdrInitializeThunk,	3_2_00A098F0
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_00A09860
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09840 NtDelayExecution,LdrInitializeThunk,	3_2_00A09840
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A099A0 NtCreateSection,LdrInitializeThunk,	3_2_00A099A0
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_00A09910
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09A20 NtResumeThread,LdrInitializeThunk,	3_2_00A09A20
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09A00 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_00A09A00
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09A50 NtCreateFile,LdrInitializeThunk,	3_2_00A09A50
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A095D0 NtClose,LdrInitializeThunk,	3_2_00A095D0
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09540 NtReadFile,LdrInitializeThunk,	3_2_00A09540
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A096E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_00A096E0
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_00A09660
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A097A0 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_00A097A0
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09780 NtMapViewOfSection,LdrInitializeThunk,	3_2_00A09780
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09710 NtQueryInformationToken,LdrInitializeThunk,	3_2_00A09710
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A098A0 NtWriteVirtualMemory,	3_2_00A098A0
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09820 NtEnumerateKey,	3_2_00A09820
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A0B040 NtSuspendThread,	3_2_00A0B040
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A099D0 NtCreateProcessEx,	3_2_00A099D0
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09950 NtQueueApcThread,	3_2_00A09950
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09A80 NtOpenDirectoryObject,	3_2_00A09A80
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09A10 NtQuerySection,	3_2_00A09A10
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A0A3B0 NtGetContextThread,	3_2_00A0A3B0
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09B00 NtSetValueKey,	3_2_00A09B00
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A095F0 NtQueryInformationFile,	3_2_00A095F0
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09520 NtWaitForSingleObject,	3_2_00A09520
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A0AD30 NtSetContextThread,	3_2_00A0AD30
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09560 NtWriteFile,	3_2_00A09560
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A096D0 NtCreateKey,	3_2_00A096D0
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09610 NtEnumerateValueKey,	3_2_00A09610
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09670 NtQueryInformationProcess,	3_2_00A09670
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09650 NtQueryValueKey,	3_2_00A09650
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09FE0 NtCreateMutant,	3_2_00A09FE0
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09730 NtQueryVirtualMemory,	3_2_00A09730
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A0A710 NtOpenProcessToken,	3_2_00A0A710
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09760 NtOpenProcess,	3_2_00A09760
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A09770 NtSetInformationFile,	3_2_00A09770
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A0A770 NtOpenThread,	3_2_00A0A770
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_1_0041A050 NtClose,	3_1_0041A050
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_1_0041A100 NtAllocateVirtualMemory,	3_1_0041A100
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_1_00419F20 NtCreateFile,	3_1_00419F20
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_1_00419FD0 NtReadFile,	3_1_00419FD0
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_1_0041A04A NtClose,	3_1_0041A04A
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_1_00419F74 NtCreateFile,	3_1_00419F74
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_1_00419F1A NtCreateFile,	3_1_00419F1A
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_1_00419FCB NtReadFile,	3_1_00419FCB
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_0041A050 NtClose,	7_2_0041A050
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_0041A100 NtAllocateVirtualMemory,	7_2_0041A100
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00419F20 NtCreateFile,	7_2_00419F20
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00419FD0 NtReadFile,	7_2_00419FD0
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_0041A04A NtClose,	7_2_0041A04A
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00419F74 NtCreateFile,	7_2_00419F74
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00419F1A NtCreateFile,	7_2_00419F1A
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00419FCB NtReadFile,	7_2_00419FCB
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A598F0 NtReadVirtualMemory,LdrInitializeThunk,	7_2_00A598F0
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59860 NtQuerySystemInformation,LdrInitializeThunk,	7_2_00A59860
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59840 NtDelayExecution,LdrInitializeThunk,	7_2_00A59840
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A599A0 NtCreateSection,LdrInitializeThunk,	7_2_00A599A0
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59910 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_00A59910
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59A20 NtResumeThread,LdrInitializeThunk,	7_2_00A59A20
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59A00 NtProtectVirtualMemory,LdrInitializeThunk,	7_2_00A59A00
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59A50 NtCreateFile,LdrInitializeThunk,	7_2_00A59A50
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A595D0 NtClose,LdrInitializeThunk,	7_2_00A595D0
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59540 NtReadFile,LdrInitializeThunk,	7_2_00A59540
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A596E0 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_00A596E0
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59660 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_00A59660
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A597A0 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_00A597A0
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59780 NtMapViewOfSection,LdrInitializeThunk,	7_2_00A59780
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59710 NtQueryInformationToken,LdrInitializeThunk,	7_2_00A59710
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A598A0 NtWriteVirtualMemory,	7_2_00A598A0
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59820 NtEnumerateKey,	7_2_00A59820
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A5B040 NtSuspendThread,	7_2_00A5B040
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A599D0 NtCreateProcessEx,	7_2_00A599D0
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59950 NtQueueApcThread,	7_2_00A59950
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59A80 NtOpenDirectoryObject,	7_2_00A59A80
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59A10 NtQuerySection,	7_2_00A59A10
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A5A3B0 NtGetContextThread,	7_2_00A5A3B0
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59B00 NtSetValueKey,	7_2_00A59B00
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A595F0 NtQueryInformationFile,	7_2_00A595F0
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59520 NtWaitForSingleObject,	7_2_00A59520
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A5AD30 NtSetContextThread,	7_2_00A5AD30
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59560 NtWriteFile,	7_2_00A59560
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A596D0 NtCreateKey,	7_2_00A596D0
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59610 NtEnumerateValueKey,	7_2_00A59610
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59670 NtQueryInformationProcess,	7_2_00A59670
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59650 NtQueryValueKey,	7_2_00A59650
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59FE0 NtCreateMutant,	7_2_00A59FE0
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59730 NtQueryVirtualMemory,	7_2_00A59730
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A5A710 NtOpenProcessToken,	7_2_00A5A710
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59760 NtOpenProcess,	7_2_00A59760
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A59770 NtSetInformationFile,	7_2_00A59770
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A5A770 NtOpenThread,	7_2_00A5A770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9A50 NtCreateFile,LdrInitializeThunk,	17_2_02DC9A50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9840 NtDelayExecution,LdrInitializeThunk,	17_2_02DC9840
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9860 NtQuerySystemInformation,LdrInitializeThunk,	17_2_02DC9860
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC99A0 NtCreateSection,LdrInitializeThunk,	17_2_02DC99A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	17_2_02DC9910
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC96D0 NtCreateKey,LdrInitializeThunk,	17_2_02DC96D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC96E0 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_02DC96E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9650 NtQueryValueKey,LdrInitializeThunk,	17_2_02DC9650
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9660 NtAllocateVirtualMemory,LdrInitializeThunk,	17_2_02DC9660
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9FE0 NtCreateMutant,LdrInitializeThunk,	17_2_02DC9FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9780 NtMapViewOfSection,LdrInitializeThunk,	17_2_02DC9780
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9710 NtQueryInformationToken,LdrInitializeThunk,	17_2_02DC9710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC95D0 NtClose,LdrInitializeThunk,	17_2_02DC95D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9540 NtReadFile,LdrInitializeThunk,	17_2_02DC9540
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9A80 NtOpenDirectoryObject,	17_2_02DC9A80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9A10 NtQuerySection,	17_2_02DC9A10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9A00 NtProtectVirtualMemory,	17_2_02DC9A00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9A20 NtResumeThread,	17_2_02DC9A20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DCA3B0 NtGetContextThread,	17_2_02DCA3B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9B00 NtSetValueKey,	17_2_02DC9B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC98F0 NtReadVirtualMemory,	17_2_02DC98F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC98A0 NtWriteVirtualMemory,	17_2_02DC98A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DCB040 NtSuspendThread,	17_2_02DCB040
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9820 NtEnumerateKey,	17_2_02DC9820
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC99D0 NtCreateProcessEx,	17_2_02DC99D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9950 NtQueueApcThread,	17_2_02DC9950
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9670 NtQueryInformationProcess,	17_2_02DC9670
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9610 NtEnumerateValueKey,	17_2_02DC9610
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC97A0 NtUnmapViewOfSection,	17_2_02DC97A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DCA770 NtOpenThread,	17_2_02DCA770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9770 NtSetInformationFile,	17_2_02DC9770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9760 NtOpenProcess,	17_2_02DC9760
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DCA710 NtOpenProcessToken,	17_2_02DCA710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9730 NtQueryVirtualMemory,	17_2_02DC9730
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC95F0 NtQueryInformationFile,	17_2_02DC95F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9560 NtWriteFile,	17_2_02DC9560
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DCAD30 NtSetContextThread,	17_2_02DCAD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DC9520 NtWaitForSingleObject,	17_2_02DC9520
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_0236A050 NtClose,	17_2_0236A050
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_0236A100 NtAllocateVirtualMemory,	17_2_0236A100
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02369F20 NtCreateFile,	17_2_02369F20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02369FD0 NtReadFile,	17_2_02369FD0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_0236A04A NtClose,	17_2_0236A04A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02369F1A NtCreateFile,	17_2_02369F1A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02369F74 NtCreateFile,	17_2_02369F74
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02369FCB NtReadFile,	17_2_02369FCB
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	23_2_036C9910
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9860 NtQuerySystemInformation,LdrInitializeThunk,	23_2_036C9860
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9FE0 NtCreateMutant,LdrInitializeThunk,	23_2_036C9FE0
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9660 NtAllocateVirtualMemory,LdrInitializeThunk,	23_2_036C9660
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C96E0 NtFreeVirtualMemory,LdrInitializeThunk,	23_2_036C96E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C95D0 NtClose,LdrInitializeThunk,	23_2_036C95D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9B00 NtSetValueKey,	23_2_036C9B00
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036CA3B0 NtGetContextThread,	23_2_036CA3B0
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9A50 NtCreateFile,	23_2_036C9A50
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9A20 NtResumeThread,	23_2_036C9A20
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9A00 NtProtectVirtualMemory,	23_2_036C9A00
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9A10 NtQuerySection,	23_2_036C9A10
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9A80 NtOpenDirectoryObject,	23_2_036C9A80
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9950 NtQueueApcThread,	23_2_036C9950
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C99D0 NtCreateProcessEx,	23_2_036C99D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C99A0 NtCreateSection,	23_2_036C99A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036CB040 NtSuspendThread,	23_2_036CB040
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9840 NtDelayExecution,	23_2_036C9840
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9820 NtEnumerateKey,	23_2_036C9820
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C98F0 NtReadVirtualMemory,	23_2_036C98F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C98A0 NtWriteVirtualMemory,	23_2_036C98A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9760 NtOpenProcess,	23_2_036C9760
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036CA770 NtOpenThread,	23_2_036CA770
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9770 NtSetInformationFile,	23_2_036C9770
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9730 NtQueryVirtualMemory,	23_2_036C9730
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036CA710 NtOpenProcessToken,	23_2_036CA710
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9710 NtQueryInformationToken,	23_2_036C9710
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C97A0 NtUnmapViewOfSection,	23_2_036C97A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9780 NtMapViewOfSection,	23_2_036C9780
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9670 NtQueryInformationProcess,	23_2_036C9670
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9650 NtQueryValueKey,	23_2_036C9650
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9610 NtEnumerateValueKey,	23_2_036C9610
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C96D0 NtCreateKey,	23_2_036C96D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9560 NtWriteFile,	23_2_036C9560
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9540 NtReadFile,	23_2_036C9540
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C9520 NtWaitForSingleObject,	23_2_036C9520
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036CAD30 NtSetContextThread,	23_2_036CAD30
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036C95F0 NtQueryInformationFile,	23_2_036C95F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_00E8A050 NtClose,	23_2_00E8A050
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_00E8A100 NtAllocateVirtualMemory,	23_2_00E8A100
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_00E89FD0 NtReadFile,	23_2_00E89FD0
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_00E89F20 NtCreateFile,	23_2_00E89F20
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_00E8A04A NtClose,	23_2_00E8A04A
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_00E89FCB NtReadFile,	23_2_00E89FCB
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_00E89F74 NtCreateFile,	23_2_00E89F74
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_00E89F1A NtCreateFile,	23_2_00E89F1A

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe

Code function: 2_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

2_2_004030CB

Creates driver files

Source: C:\Windows\svchost.com

File created: C:\Windows\directx.sys

Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 2_2_004046CA	2_2_004046CA
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 2_2_00405FA8	2_2_00405FA8
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_0041E1D7	3_2_0041E1D7
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00402D87	3_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00409E2B	3_2_00409E2B
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00409E30	3_2_00409E30
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A920A8	3_2_00A920A8
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_009DB090	3_2_009DB090
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_009F20A0	3_2_009F20A0
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A928EC	3_2_00A928EC
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A9E824	3_2_00A9E824
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A81002	3_2_00A81002
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_009EA830	3_2_009EA830
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_009E99BF	3_2_009E99BF
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_009CF900	3_2_009CF900
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_009E4120	3_2_009E4120
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A922AE	3_2_00A922AE
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A84AEF	3_2_00A84AEF
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A7FA2B	3_2_00A7FA2B
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_009EB236	3_2_009EB236
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_009F138B	3_2_009F138B
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_009FEBB0	3_2_009FEBB0
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A723E3	3_2_00A723E3
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_009FABD8	3_2_009FABD8
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A803DA	3_2_00A803DA
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A8DBD2	3_2_00A8DBD2
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A92B28	3_2_00A92B28
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_009EA309	3_2_009EA309
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_009EAB40	3_2_009EAB40
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A6CB4F	3_2_00A6CB4F
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A84496	3_2_00A84496
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_009D841F	3_2_009D841F
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A8D466	3_2_00A8D466
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_009EB477	3_2_009EB477
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_009F2581	3_2_009F2581
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A82D82	3_2_00A82D82
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A925DD	3_2_00A925DD
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_009DD5E0	3_2_009DD5E0
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A92D07	3_2_00A92D07
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_009C0D20	3_2_009C0D20
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A91D55	3_2_00A91D55
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A92EF7	3_2_00A92EF7
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_009E6E30	3_2_009E6E30
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A8D616	3_2_00A8D616
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A91FF1	3_2_00A91FF1
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_2_00A9DFCE	3_2_00A9DFCE
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_1_00401030	3_1_00401030
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_1_0041E1D7	3_1_0041E1D7
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_1_00402D87	3_1_00402D87
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_1_00402D90	3_1_00402D90
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_1_00409E2B	3_1_00409E2B
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_1_00409E30	3_1_00409E30
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: 3_1_00402FB0	3_1_00402FB0
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00401030	7_2_00401030
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_0041E1D7	7_2_0041E1D7
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00402D87	7_2_00402D87
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00402D90	7_2_00402D90
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00409E2B	7_2_00409E2B
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00409E30	7_2_00409E30
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00402FB0	7_2_00402FB0
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A420A0	7_2_00A420A0
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00AE20A8	7_2_00AE20A8
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A2B090	7_2_00A2B090
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00AE28EC	7_2_00AE28EC
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00AEE824	7_2_00AEE824
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A3A830	7_2_00A3A830
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00AD1002	7_2_00AD1002
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A34120	7_2_00A34120
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A1F900	7_2_00A1F900
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00AE22AE	7_2_00AE22AE
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00ACFA2B	7_2_00ACFA2B
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A4EBB0	7_2_00A4EBB0
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00AD03DA	7_2_00AD03DA
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00ADDBD2	7_2_00ADDBD2
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00AE2B28	7_2_00AE2B28
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A3AB40	7_2_00A3AB40
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A2841F	7_2_00A2841F
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00ADD466	7_2_00ADD466
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A42581	7_2_00A42581
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A2D5E0	7_2_00A2D5E0
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00AE25DD	7_2_00AE25DD
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A10D20	7_2_00A10D20
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00AE2D07	7_2_00AE2D07
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00AE1D55	7_2_00AE1D55
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00AE2EF7	7_2_00AE2EF7
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00A36E30	7_2_00A36E30
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00ADD616	7_2_00ADD616
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00AE1FF1	7_2_00AE1FF1
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: 7_2_00AEDFCE	7_2_00AEDFCE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E44AEF	17_2_02E44AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E522AE	17_2_02E522AE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E3FA2B	17_2_02E3FA2B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E323E3	17_2_02E323E3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DBABD8	17_2_02DBABD8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E4DBD2	17_2_02E4DBD2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E403DA	17_2_02E403DA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DBEBB0	17_2_02DBEBB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DAAB40	17_2_02DAAB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E52B28	17_2_02E52B28
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DAA309	17_2_02DAA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E528EC	17_2_02E528EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02D9B090	17_2_02D9B090
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E520A8	17_2_02E520A8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DB20A0	17_2_02DB20A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E5E824	17_2_02E5E824
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E41002	17_2_02E41002
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DAA830	17_2_02DAA830
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DA99BF	17_2_02DA99BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02D8F900	17_2_02D8F900
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DA4120	17_2_02DA4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E52EF7	17_2_02E52EF7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DA6E30	17_2_02DA6E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E4D616	17_2_02E4D616
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E51FF1	17_2_02E51FF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E5DFCE	17_2_02E5DFCE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E44496	17_2_02E44496
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E4D466	17_2_02E4D466
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02D9841F	17_2_02D9841F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E525DD	17_2_02E525DD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02D9D5E0	17_2_02D9D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02DB2581	17_2_02DB2581
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E42D82	17_2_02E42D82
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E51D55	17_2_02E51D55
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02E52D07	17_2_02E52D07
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02D80D20	17_2_02D80D20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_0236E1D7	17_2_0236E1D7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02359E30	17_2_02359E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02359E2B	17_2_02359E2B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02352FB0	17_2_02352FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02352D90	17_2_02352D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 17_2_02352D87	17_2_02352D87
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036A3360	23_2_036A3360
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036AAB40	23_2_036AAB40
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_0372CB4F	23_2_0372CB4F
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_03752B28	23_2_03752B28
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036AA309	23_2_036AA309
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_0374231B	23_2_0374231B
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036D8BE8	23_2_036D8BE8
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_037323E3	23_2_037323E3
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_0374DBD2	23_2_0374DBD2
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_037403DA	23_2_037403DA
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036BABD8	23_2_036BABD8
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036BEBB0	23_2_036BEBB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036B138B	23_2_036B138B
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036AEB9A	23_2_036AEB9A
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_0372EB8A	23_2_0372EB8A
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_03745A4F	23_2_03745A4F
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_0373FA2B	23_2_0373FA2B
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036AB236	23_2_036AB236
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_03744AEF	23_2_03744AEF
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_0374E2C5	23_2_0374E2C5
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_037522AE	23_2_037522AE
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_037532A9	23_2_037532A9
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036A4120	23_2_036A4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_0368F900	23_2_0368F900
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_0369C1C0	23_2_0369C1C0
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036A99BF	23_2_036A99BF
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036A2990	23_2_036A2990
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_0375E824	23_2_0375E824
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036AA830	23_2_036AA830
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_03686800	23_2_03686800
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_03741002	23_2_03741002
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036B701D	23_2_036B701D
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_037460F5	23_2_037460F5
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_037528EC	23_2_037528EC
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036B20A0	23_2_036B20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_037520A8	23_2_037520A8
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_0369B090	23_2_0369B090
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_03751FF1	23_2_03751FF1
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_037467E2	23_2_037467E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_0375DFCE	23_2_0375DFCE
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_0370AE60	23_2_0370AE60
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036A6E30	23_2_036A6E30
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_0374D616	23_2_0374D616
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036A5600	23_2_036A5600
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_03752EF7	23_2_03752EF7
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036B06C0	23_2_036B06C0
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_03731EB6	23_2_03731EB6
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_03751D55	23_2_03751D55
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036A2D50	23_2_036A2D50
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_03680D20	23_2_03680D20
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_03752D07	23_2_03752D07
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_0369D5E0	23_2_0369D5E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_037525DD	23_2_037525DD
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036B65A0	23_2_036B65A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036B2581	23_2_036B2581
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_03742D82	23_2_03742D82
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_0374CC77	23_2_0374CC77
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_0374D466	23_2_0374D466
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036AB477	23_2_036AB477
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036A2430	23_2_036A2430
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_0369841F	23_2_0369841F
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_036B4CD4	23_2_036B4CD4
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_03744496	23_2_03744496
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_00E8E1D7	23_2_00E8E1D7
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_00E72D87	23_2_00E72D87
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_00E72D90	23_2_00E72D90
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_00E79E2B	23_2_00E79E2B
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_00E79E30	23_2_00E79E30
Source: C:\Windows\SysWOW64\help.exe	Code function: 23_2_00E72FB0	23_2_00E72FB0

Source: Joe Sandbox View	Dropped File: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe 8FCB4C541BDDA7D5CDA8124B48BECBAFBAFE2D82116BD6356D16FF894E1D83AD
Source: Joe Sandbox View	Dropped File: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe 3D49D6B3360EB03FDD43A4C926213F8B348ABEDE3A5D8B7A4530BF8ED4AE1B72

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 02D8B150 appears 133 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: String function: 0041BDA0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Code function: String function: 009CB150 appears 136 times
Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 036DD08C appears 48 times
Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 03715720 appears 85 times
Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 0368B150 appears 177 times
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Code function: String function: 00A1B150 appears 54 times

Source: vi0EwpbUht.exe, 00000001.00000002.585454565.0000000002240000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs vi0EwpbUht.exe
Source: vi0EwpbUht.exe, 00000001.00000002.585454565.0000000002240000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs vi0EwpbUht.exe
Source: vi0EwpbUht.exe, 00000001.00000002.584995806.00000000021D0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs vi0EwpbUht.exe
Source: vi0EwpbUht.exe, 00000002.00000003.324725121.0000000003226000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs vi0EwpbUht.exe
Source: vi0EwpbUht.exe, 00000002.00000002.336317174.0000000002190000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs vi0EwpbUht.exe
Source: vi0EwpbUht.exe, 00000003.00000002.480933192.0000000002A20000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamenetstat.exej% vs vi0EwpbUht.exe
Source: vi0EwpbUht.exe, 00000003.00000002.464510666.0000000000ABF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs vi0EwpbUht.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_01
Source: C:\Windows\svchost.com	Mutant created: \Sessions\1\BaseNamedObjects\MutexPolesskayaGlush. svchost.com n X . t N t h ` T 5 @

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\vi0EwpbUht.exe 'C:\Users\user\Desktop\vi0EwpbUht.exe'
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe'
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\svchost.com 'C:\Windows\svchost.com' 'C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe'
Source: C:\Windows\svchost.com	Process created: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Process created: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe'	Jump to behavior
Source: C:\Windows\svchost.com	Process created: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Process created: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe'	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Unpacked PE file: 3.2.vi0EwpbUht.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Unpacked PE file: 7.2.elxhan.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040802C push 00408052h; ret	1_2_0040804A
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_004070A4 push 004070D0h; ret	1_2_004070C8
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_004041D8 push 00404204h; ret	1_2_004041FC
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_004041A0 push 004041CCh; ret	1_2_004041C4
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_00404256 push 00404284h; ret	1_2_0040427C
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_00404258 push 00404284h; ret	1_2_0040427C
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_00404210 push 0040423Ch; ret	1_2_00404234
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_004042C8 push 004042F4h; ret	1_2_004042EC
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_00404290 push 004042BCh; ret	1_2_004042B4
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_00404370 push 0040439Ch; ret	1_2_00404394
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_00404300 push 0040432Ch; ret	1_2_00404324
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_00404338 push 00404364h; ret	1_2_0040435C
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_004043E0 push 0040440Ch; ret	1_2_00404404
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_004043A8 push 004043D4h; ret	1_2_004043CC
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_00410778 push 00406D36h; ret	1_2_004107C6
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040D7C0 push 00403D79h; ret	1_2_0040D809
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040D9F0 push 00403F84h; ret	1_2_0040DA14
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040DA28 push 00403FBCh; ret	1_2_0040DA4C
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_00411AC4 push 00408052h; ret	1_2_00411AE2
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_00410B3C push 004070D0h; ret	1_2_00410B60
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040DC70 push 00404204h; ret	1_2_0040DC94
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040DC38 push 004041CCh; ret	1_2_0040DC5C
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_00406CE0 push 00406D36h; ret	1_2_00406D2E
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040DCEE push 00404284h; ret	1_2_0040DD14
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040DCF0 push 00404284h; ret	1_2_0040DD14
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040DCA8 push 0040423Ch; ret	1_2_0040DCCC
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040DD60 push 004042F4h; ret	1_2_0040DD84
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_00403D28 push 00403D79h; ret	1_2_00403D71
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040DD28 push 004042BCh; ret	1_2_0040DD4C
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040DDD0 push 00404364h; ret	1_2_0040DDF4
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: 1_2_0040DD98 push 0040432Ch; ret	1_2_0040DDBC

Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File written: C:\ProgramData\Adobe\ARM\S\11357\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File written: C:\ProgramData\Adobe\ARM\S\1742\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior

Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File created: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	File created: C:\Users\user\AppData\Local\Temp\nse728B.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File created: C:\Users\user\AppData\Local\Temp\CR_0E027.tmp\setup.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File created: C:\ProgramData\Adobe\ARM\S\1742\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	File created: C:\Users\user\AppData\Local\Temp\nsrAB5E.tmp\System.dll	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpuser.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	File created: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\microsoft shared\Source user\OSE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File created: C:\ProgramData\Adobe\ARM\S\11357\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	File created: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run gmsauh			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run gmsauh			Jump to behavior

Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 00000000023598E4 second address: 00000000023598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 0000000002359B4E second address: 0000000002359B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 0000000000E798E4 second address: 0000000000E798EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 0000000000E79B4E second address: 0000000000E79B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CR_0E027.tmp\setup.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Dropped PE file which has not been started: C:\ProgramData\Adobe\ARM\S\1742\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpuser.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\Source user\OSE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Dropped PE file which has not been started: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Dropped PE file which has not been started: C:\ProgramData\Adobe\ARM\S\11357\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Jump to dropped file

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: explorer.exe, 00000004.00000000.442375787.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.360481969.00000000063F6000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.414458333.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000000.442375787.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000000.360481969.00000000063F6000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.368886619.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000004.00000000.414458333.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.414458333.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000000.368886619.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000000.337120885.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 00000004.00000000.414458333.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.agileintelligence.coach

Analysis Report vi0EwpbUht

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Section loaded: unknown target: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 3440	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe	Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: E0000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe	Section unmapped: C:\Windows\SysWOW64\help.exe base address: 10A0000			Jump to behavior

Source: vi0EwpbUht.exe, 00000001.00000002.584593645.0000000000DB0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.442375787.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vi0EwpbUht.exe, 00000001.00000002.584593645.0000000000DB0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.336952872.00000000008B8000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: vi0EwpbUht.exe, 00000001.00000002.584593645.0000000000DB0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.372075782.0000000000EE0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: vi0EwpbUht.exe, 00000001.00000002.584593645.0000000000DB0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.372075782.0000000000EE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: GetLocaleInfoA,	1_2_0040D74C
Source: C:\Users\user\Desktop\vi0EwpbUht.exe	Code function: GetLocaleInfoA,	1_2_00403CB4
Source: C:\Windows\svchost.com	Code function: GetLocaleInfoA,	5_2_0040D74C
Source: C:\Windows\svchost.com	Code function: GetLocaleInfoA,	5_2_00403CB4

Source: vi0EwpbUht.exe, 00000001.00000003.441467911.00000000022C4000.00000004.00000001.sdmp	Binary or memory string: MSASCui.exe
Source: vi0EwpbUht.exe, 00000001.00000003.441467911.00000000022C4000.00000004.00000001.sdmp	Binary or memory string: MsMpEng.exe

Name	IP	Active
agileintelligence.coach	34.102.136.180	true
www.agileintelligence.coach	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.agileintelligence.coach/xkcp/?6lS0=KFNDChppd2b&f2JL=SStynINVP5NCGh+2RJURYBVhcUSlPPhp5T3GlTJ0osry6C6vZ7yRpdLEbpP0cRdR/S5JjqUiIQ==	false	Avira URL Cloud: safe	unknown
www.personalizedyardsigns.com/xkcp/	true	Avira URL Cloud: safe	low

ID:	432848
Product:	CloudBasic
Start time:	20:52:17
Start date:	10.06.2021
Sample:	vi0EwpbUht
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	f478c15f5affd8359762b8c6b0e913a4
SHA1:	05b36949abd35a132488158f38149c7b582c8d3a
SHA256:	e355ac0da4996011e91f28b11e03c44d54606ae4ceb0bc4f6d0a0edc4b3410ed
Filetype:	Win32 Executable (generic) a (10002005/4) 97.38%