Windows Analysis Report 6LkjS4JhAl.exe

Overview

General Information

Sample Name: 6LkjS4JhAl.exe
Analysis ID: 490868
MD5: 4aeb49bf7e23aab664de914df204664f
SHA1: a9a80ec2e9ea803aa8db80aac266826304916dbf
SHA256: d11342ce9c7550e129e455126cb6373145ea86ae5ee777a652205541ef4cec2c
Tags: exeNeshta
Infos:

Most interesting Screenshot:

Detection

GuLoader Neshta
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Potential malicious icon found
Yara detected Neshta
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
GuLoader behavior detected
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Drops PE files with a suspicious file extension
Tries to detect Any.run
Drops executable to a common third party application directory
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Found dropped PE file which has not been started or loaded
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 6LkjS4JhAl.exe Virustotal: Detection: 85% Perma Link
Antivirus / Scanner detection for submitted sample
Source: 6LkjS4JhAl.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Avira: detection malicious, Label: W32/Neshta.A
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe ReversingLabs: Detection: 95%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe ReversingLabs: Detection: 95%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe ReversingLabs: Detection: 95%
Machine Learning detection for sample
Source: 6LkjS4JhAl.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.6LkjS4JhAl.exe.400000.0.unpack Avira: Label: W32/Neshta.A
Source: 0.0.6LkjS4JhAl.exe.400000.0.unpack Avira: Label: W32/Neshta.A

Compliance:

barindex
Uses 32bit PE files
Source: 6LkjS4JhAl.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: Binary string: pst.pdb source: SCANPST.EXE.0.dr
Source: Binary string: GoogleUpdate_unsigned.pdb source: GoogleUpdate.exe.0.dr
Source: Binary string: P:\Target\x86\ship\outlook\x-none\scanpst.pdbpst.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000H source: SCANPST.EXE.0.dr
Source: Binary string: P:\Target\x86\ship\outlook\x-none\scanpst.pdb source: SCANPST.EXE.0.dr
Source: Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u211\12973\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.0.dr

Spreading:

barindex
Yara detected Neshta
Source: Yara match File source: 6LkjS4JhAl.exe, type: SAMPLE
Source: Yara match File source: 0.2.6LkjS4JhAl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.6LkjS4JhAl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.506546365.0000000000409000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6LkjS4JhAl.exe PID: 6508, type: MEMORYSTR
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
Source: Yara match File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\ChromeSetup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
Source: Yara match File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00405080 FindFirstFileA,FindNextFileA,FindClose, 0_2_00405080
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00405634 FindFirstFileA,FindNextFileA,FindClose, 0_2_00405634
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00404F6C FindFirstFileA,FindClose, 0_2_00404F6C
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040F0C4 FindFirstFileA,FindNextFileA,FindClose, 0_2_0040F0C4
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040F0CC FindFirstFileA,FindNextFileA,FindClose, 0_2_0040F0CC
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040F13F FindFirstFileA,FindNextFileA,FindClose, 0_2_0040F13F
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_004056A7 FindFirstFileA,FindNextFileA,FindClose, 0_2_004056A7
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040EA04 FindFirstFileA,FindClose, 0_2_0040EA04
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040EB16 FindFirstFileA,FindClose, 0_2_0040EB16
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040EB18 FindFirstFileA,FindNextFileA,FindClose, 0_2_0040EB18
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA, 0_2_00406D40
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File opened: C:\Documents and Settings\All Users\ Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File opened: C:\Documents and Settings\All Users\Application Data\ Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\11399\ Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\ Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\ Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\ Jump to behavior

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: 6LkjS4JhAl.exe, 00000000.00000003.368839921.0000000002360000.00000004.00000001.sdmp Binary or memory string: _WinAPI_RegisterRawInputDevices.au3

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: 6LkjS4JhAl.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Yara signature match
Source: 6LkjS4JhAl.exe, type: SAMPLE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 0.2.6LkjS4JhAl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 0.0.6LkjS4JhAl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Windows\svchost.com, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\ChromeSetup.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Creates files inside the system directory
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Windows\svchost.com Jump to behavior
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\3582-490\6LkjS4JhAl.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: 6LkjS4JhAl.exe, 00000000.00000002.502560999.0000000000190000.00000004.00000001.sdmp Binary or memory string: OriginalFilename vs 6LkjS4JhAl.exe
Source: 6LkjS4JhAl.exe, 00000000.00000003.231592014.0000000002297000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAnnidalino6.exe vs 6LkjS4JhAl.exe
Source: 6LkjS4JhAl.exe, 00000001.00000000.232854199.0000000000412000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAnnidalino6.exe vs 6LkjS4JhAl.exe
Source: 6LkjS4JhAl.exe Binary or memory string: OriginalFilenameAnnidalino6.exe vs 6LkjS4JhAl.exe
PE file contains strange resources
Source: 6LkjS4JhAl.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe 8FCB4C541BDDA7D5CDA8124B48BECBAFBAFE2D82116BD6356D16FF894E1D83AD
Source: 6LkjS4JhAl.exe Virustotal: Detection: 85%
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File read: C:\Users\user\Desktop\6LkjS4JhAl.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\6LkjS4JhAl.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\6LkjS4JhAl.exe 'C:\Users\user\Desktop\6LkjS4JhAl.exe'
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process created: C:\Users\user\AppData\Local\Temp\3582-490\6LkjS4JhAl.exe 'C:\Users\user~1\AppData\Local\Temp\3582-490\6LkjS4JhAl.exe'
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process created: C:\Users\user\AppData\Local\Temp\3582-490\6LkjS4JhAl.exe 'C:\Users\user~1\AppData\Local\Temp\3582-490\6LkjS4JhAl.exe' Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Users\user~1\AppData\Local\Temp\3582-490 Jump to behavior
Source: classification engine Classification label: mal100.rans.spre.troj.evad.winEXE@3/114@0/0
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: Binary string: pst.pdb source: SCANPST.EXE.0.dr
Source: Binary string: GoogleUpdate_unsigned.pdb source: GoogleUpdate.exe.0.dr
Source: Binary string: P:\Target\x86\ship\outlook\x-none\scanpst.pdbpst.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000H source: SCANPST.EXE.0.dr
Source: Binary string: P:\Target\x86\ship\outlook\x-none\scanpst.pdb source: SCANPST.EXE.0.dr
Source: Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u211\12973\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.0.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040802C push 00408052h; ret 0_2_0040804A
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_004070A4 push 004070D0h; ret 0_2_004070C8
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_004041D8 push 00404204h; ret 0_2_004041FC
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_004041A0 push 004041CCh; ret 0_2_004041C4
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00404256 push 00404284h; ret 0_2_0040427C
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00404258 push 00404284h; ret 0_2_0040427C
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00404210 push 0040423Ch; ret 0_2_00404234
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_004042C8 push 004042F4h; ret 0_2_004042EC
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00404290 push 004042BCh; ret 0_2_004042B4
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00404370 push 0040439Ch; ret 0_2_00404394
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00404300 push 0040432Ch; ret 0_2_00404324
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00404338 push 00404364h; ret 0_2_0040435C
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_004043E0 push 0040440Ch; ret 0_2_00404404
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_004043A8 push 004043D4h; ret 0_2_004043CC
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00410778 push 00406D36h; ret 0_2_004107C6
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040D7C0 push 00403D79h; ret 0_2_0040D809
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040D9F0 push 00403F84h; ret 0_2_0040DA14
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040DA28 push 00403FBCh; ret 0_2_0040DA4C
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00411AC4 push 00408052h; ret 0_2_00411AE2
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00410B3C push 004070D0h; ret 0_2_00410B60
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040DC70 push 00404204h; ret 0_2_0040DC94
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040DC38 push 004041CCh; ret 0_2_0040DC5C
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00406CE0 push 00406D36h; ret 0_2_00406D2E
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040DCEE push 00404284h; ret 0_2_0040DD14
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040DCF0 push 00404284h; ret 0_2_0040DD14
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040DCA8 push 0040423Ch; ret 0_2_0040DCCC
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040DD60 push 004042F4h; ret 0_2_0040DD84
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00403D28 push 00403D79h; ret 0_2_00403D71
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040DD28 push 004042BCh; ret 0_2_0040DD4C
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040DDD0 push 00404364h; ret 0_2_0040DDF4
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040DD98 push 0040432Ch; ret 0_2_0040DDBC

Persistence and Installation Behavior:

barindex
Yara detected Neshta
Source: Yara match File source: 6LkjS4JhAl.exe, type: SAMPLE
Source: Yara match File source: 0.2.6LkjS4JhAl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.6LkjS4JhAl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.506546365.0000000000409000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6LkjS4JhAl.exe PID: 6508, type: MEMORYSTR
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
Source: Yara match File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\ChromeSetup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
Source: Yara match File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE Jump to behavior
Drops PE files with a suspicious file extension
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Windows\svchost.com Jump to dropped file
Drops executable to a common third party application directory
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Windows\svchost.com Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Users\user\AppData\Local\Temp\3582-490\6LkjS4JhAl.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\ChromeSetup.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File created: C:\Windows\svchost.com Jump to dropped file

Boot Survival:

barindex
Yara detected Neshta
Source: Yara match File source: 6LkjS4JhAl.exe, type: SAMPLE
Source: Yara match File source: 0.2.6LkjS4JhAl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.6LkjS4JhAl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.506546365.0000000000409000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6LkjS4JhAl.exe PID: 6508, type: MEMORYSTR
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
Source: Yara match File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\ChromeSetup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
Source: Yara match File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\6LkjS4JhAl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\AppData\Local\Temp\3582-490\6LkjS4JhAl.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\6LkjS4JhAl.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\3582-490\6LkjS4JhAl.exe RDTSC instruction interceptor: First address: 000000000040BB2C second address: 000000000040BB2C instructions: 0x00000000 rdtsc 0x00000002 cmp edx, 1Eh 0x00000005 xor eax, edx 0x00000007 cmp edx, 000000B5h 0x0000000d dec edi 0x0000000e cmp ebx, 59h 0x00000011 paddw mm3, mm4 0x00000014 jmp 00007F12B4BA2345h 0x00000016 cmp edi, 00000000h 0x00000019 jne 00007F12B4BA225Eh 0x0000001f cmp esi, 00000099h 0x00000025 mov ebx, 73176489h 0x0000002a cmp ch, 0000001Fh 0x0000002d xor ebx, 1EBDE606h 0x00000033 cmp cl, 0000002Fh 0x00000036 xor ebx, A275CC1Bh 0x0000003c cmp cx, 0094h 0x00000041 fprem 0x00000043 jmp 00007F12B4BA2342h 0x00000045 add ebx, 3060B16Ch 0x0000004b cmp edi, 0000009Fh 0x00000051 cmp di, 007Dh 0x00000055 rdtsc
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Windows\svchost.com Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\ChromeSetup.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE Jump to dropped file
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00405080 FindFirstFileA,FindNextFileA,FindClose, 0_2_00405080
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00405634 FindFirstFileA,FindNextFileA,FindClose, 0_2_00405634
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00404F6C FindFirstFileA,FindClose, 0_2_00404F6C
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040F0C4 FindFirstFileA,FindNextFileA,FindClose, 0_2_0040F0C4
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040F0CC FindFirstFileA,FindNextFileA,FindClose, 0_2_0040F0CC
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040F13F FindFirstFileA,FindNextFileA,FindClose, 0_2_0040F13F
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_004056A7 FindFirstFileA,FindNextFileA,FindClose, 0_2_004056A7
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040EA04 FindFirstFileA,FindClose, 0_2_0040EA04
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040EB16 FindFirstFileA,FindClose, 0_2_0040EB16
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040EB18 FindFirstFileA,FindNextFileA,FindClose, 0_2_0040EB18
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA, 0_2_00406D40
Source: C:\Users\user\AppData\Local\Temp\3582-490\6LkjS4JhAl.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File opened: C:\Documents and Settings\All Users\ Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File opened: C:\Documents and Settings\All Users\Application Data\ Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\11399\ Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\ Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\ Jump to behavior
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\ Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\3582-490\6LkjS4JhAl.exe Thread information set: HideFromDebugger Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Process created: C:\Users\user\AppData\Local\Temp\3582-490\6LkjS4JhAl.exe 'C:\Users\user~1\AppData\Local\Temp\3582-490\6LkjS4JhAl.exe' Jump to behavior
Source: 6LkjS4JhAl.exe, 00000000.00000002.518459185.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: 6LkjS4JhAl.exe, 00000000.00000002.518459185.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: 6LkjS4JhAl.exe, 00000000.00000002.518459185.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: 6LkjS4JhAl.exe, 00000000.00000002.518459185.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: GetLocaleInfoA, 0_2_0040D74C
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: GetLocaleInfoA, 0_2_00403CB4
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040F270 GetLocalTime, 0_2_0040F270
Source: C:\Users\user\Desktop\6LkjS4JhAl.exe Code function: 0_2_0040D815 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId, 0_2_0040D815

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: 6LkjS4JhAl.exe, 00000000.00000003.359150372.0000000002294000.00000004.00000001.sdmp Binary or memory string: MSASCui.exe
Source: 6LkjS4JhAl.exe, 00000000.00000003.359150372.0000000002294000.00000004.00000001.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information:

barindex
Yara detected Neshta
Source: Yara match File source: 6LkjS4JhAl.exe, type: SAMPLE
Source: Yara match File source: 0.2.6LkjS4JhAl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.6LkjS4JhAl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.506546365.0000000000409000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6LkjS4JhAl.exe PID: 6508, type: MEMORYSTR
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
Source: Yara match File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\ChromeSetup.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
Source: Yara match File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 490868 Sample: 6LkjS4JhAl.exe Startdate: 26/09/2021 Architecture: WINDOWS Score: 100 21 Potential malicious icon found 2->21 23 Antivirus detection for dropped file 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 6 other signatures 2->27 6 6LkjS4JhAl.exe 4 2->6         started        process3 file4 13 C:\Windows\svchost.com, PE32 6->13 dropped 15 C:\Users\user\AppData\Local\...\setup.exe, PE32 6->15 dropped 17 C:\Users\user\AppData\...\6LkjS4JhAl.exe, PE32 6->17 dropped 19 111 other malicious files 6->19 dropped 29 Creates an undocumented autostart registry key 6->29 31 Drops PE files with a suspicious file extension 6->31 33 Drops executable to a common third party application directory 6->33 35 Infects executable files (exe, dll, sys, html) 6->35 10 6LkjS4JhAl.exe 6->10         started        signatures5 process6 signatures7 37 Tries to detect Any.run 10->37 39 Tries to detect virtualization through RDTSC time measurements 10->39 41 Hides threads from debuggers 10->41
No contacted IP infos