Windows Analysis Report Z68mMCAxFZ.exe

Overview

General Information

Sample Name:	Z68mMCAxFZ.exe
Analysis ID:	490869
MD5:	547612a9ff746063a74c71b009230500
SHA1:	c04b0adc612addc701e3a0336a4e8a23fbd331c4
SHA256:	bf99b231b81ab2ba895c0cbf395a5fdb5fc18d3465592150e365f31302c8250a
Tags:	exeNeshta
Infos:
Most interesting Screenshot:

Detection

GuLoader Neshta

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Potential malicious icon found

Yara detected Neshta

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

GuLoader behavior detected

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Hides threads from debuggers

Infects executable files (exe, dll, sys, html)

Drops PE files with a suspicious file extension

Tries to detect Any.run

Drops executable to a common third party application directory

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Found dropped PE file which has not been started or loaded

Abnormal high CPU Usage

AV process strings found (often used to terminate AV products)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: Z68mMCAxFZ.exe

Virustotal: Detection: 85%

Perma Link

Antivirus / Scanner detection for submitted sample

Source: Z68mMCAxFZ.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Neshta.A

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	ReversingLabs: Detection: 95%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	ReversingLabs: Detection: 95%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	ReversingLabs: Detection: 95%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Metadefender: Detection: 91%	Perma Link
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	ReversingLabs: Detection: 93%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	ReversingLabs: Detection: 95%
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Source: Z68mMCAxFZ.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.Z68mMCAxFZ.exe.400000.0.unpack	Avira: Label: W32/Neshta.A
Source: 0.0.Z68mMCAxFZ.exe.400000.0.unpack	Avira: Label: W32/Neshta.A

Compliance:

Uses 32bit PE files

Source: Z68mMCAxFZ.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Spreading:

Yara detected Neshta

Source: Yara match	File source: Z68mMCAxFZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Z68mMCAxFZ.exe PID: 6284, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Jump to behavior

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00405080 FindFirstFileA,FindNextFileA,FindClose,	0_2_00405080
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00405634 FindFirstFileA,FindNextFileA,FindClose,	0_2_00405634
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00404F6C FindFirstFileA,FindClose,	0_2_00404F6C
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040F0C4 FindFirstFileA,FindNextFileA,FindClose,	0_2_0040F0C4
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040F0CC FindFirstFileA,FindNextFileA,FindClose,	0_2_0040F0CC
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040F13F FindFirstFileA,FindNextFileA,FindClose,	0_2_0040F13F
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,	0_2_004056A7
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040EA04 FindFirstFileA,FindClose,	0_2_0040EA04
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040EB16 FindFirstFileA,FindClose,	0_2_0040EB16
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040EB18 FindFirstFileA,FindNextFileA,FindClose,	0_2_0040EB18

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

Code function: 0_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,

0_2_00406D40

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a raw input device (often for capturing keystrokes)

Source: Z68mMCAxFZ.exe, 00000000.00000003.874643754.0000000002300000.00000004.00000001.sdmp

Binary or memory string: _WinAPI_RegisterRawInputDevices.au3

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Uses 32bit PE files

Source: Z68mMCAxFZ.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Yara signature match

Source: Z68mMCAxFZ.exe, type: SAMPLE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 0.0.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 0.2.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Windows\svchost.com, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14

Creates files inside the system directory

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

File created: C:\Windows\svchost.com

Jump to behavior

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe

Process Stats: CPU usage > 98%

Sample file is different than original file name gathered from version info

Source: Z68mMCAxFZ.exe, 00000000.00000003.672068638.0000000002237000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUndladendekand7.exe vs Z68mMCAxFZ.exe
Source: Z68mMCAxFZ.exe, 00000000.00000002.939439057.0000000000190000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs Z68mMCAxFZ.exe

PE file contains strange resources

Source: Z68mMCAxFZ.exe.0.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe 8FCB4C541BDDA7D5CDA8124B48BECBAFBAFE2D82116BD6356D16FF894E1D83AD

Source: Z68mMCAxFZ.exe

Virustotal: Detection: 85%

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

File read: C:\Users\user\Desktop\Z68mMCAxFZ.exe

Jump to behavior

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Z68mMCAxFZ.exe 'C:\Users\user\Desktop\Z68mMCAxFZ.exe'
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe'
Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe'
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

File created: C:\Users\user\AppData\Local\Temp\3582-490

Jump to behavior

Source: classification engine

Classification label: mal100.rans.spre.troj.evad.winEXE@5/111@0/0

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 0000000F.00000002.938917460.0000000000560000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040802C push 00408052h; ret	0_2_0040804A
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_004070A4 push 004070D0h; ret	0_2_004070C8
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_004041D8 push 00404204h; ret	0_2_004041FC
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_004041A0 push 004041CCh; ret	0_2_004041C4
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00404256 push 00404284h; ret	0_2_0040427C
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00404258 push 00404284h; ret	0_2_0040427C
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00404210 push 0040423Ch; ret	0_2_00404234
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_004042C8 push 004042F4h; ret	0_2_004042EC
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00404290 push 004042BCh; ret	0_2_004042B4
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00404370 push 0040439Ch; ret	0_2_00404394
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00404300 push 0040432Ch; ret	0_2_00404324
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00404338 push 00404364h; ret	0_2_0040435C
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_004043E0 push 0040440Ch; ret	0_2_00404404
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_004043A8 push 004043D4h; ret	0_2_004043CC
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00410778 push 00406D36h; ret	0_2_004107C6
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040D7C0 push 00403D79h; ret	0_2_0040D809
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040D9F0 push 00403F84h; ret	0_2_0040DA14
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DA28 push 00403FBCh; ret	0_2_0040DA4C
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00411AC4 push 00408052h; ret	0_2_00411AE2
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00410B3C push 004070D0h; ret	0_2_00410B60
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DC70 push 00404204h; ret	0_2_0040DC94
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DC38 push 004041CCh; ret	0_2_0040DC5C
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00406CE0 push 00406D36h; ret	0_2_00406D2E
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DCEE push 00404284h; ret	0_2_0040DD14
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DCF0 push 00404284h; ret	0_2_0040DD14
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DCA8 push 0040423Ch; ret	0_2_0040DCCC
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DD60 push 004042F4h; ret	0_2_0040DD84
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00403D28 push 00403D79h; ret	0_2_00403D71
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DD28 push 004042BCh; ret	0_2_0040DD4C
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DDD0 push 00404364h; ret	0_2_0040DDF4
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DD98 push 0040432Ch; ret	0_2_0040DDBC

Persistence and Installation Behavior:

Yara detected Neshta

Source: Yara match	File source: Z68mMCAxFZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Z68mMCAxFZ.exe PID: 6284, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Jump to behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Boot Survival:

Yara detected Neshta

Source: Yara match	File source: Z68mMCAxFZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Z68mMCAxFZ.exe PID: 6284, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe

RDTSC instruction interceptor: First address: 000000000040B86B second address: 000000000040B86B instructions: 0x00000000 rdtsc 0x00000002 cmp di, 00F2h 0x00000007 xor eax, edx 0x00000009 fscale 0x0000000b jmp 00007F8CE03930AFh 0x0000000d cmp bx, 001Bh 0x00000011 dec edi 0x00000012 cmp bh, 0000003Dh 0x00000015 cmp edi, 00000000h 0x00000018 jne 00007F8CE0392FDBh 0x0000001e cmp bl, FFFFFFDCh 0x00000021 mov ebx, 0E247385h 0x00000026 cmp bx, 0084h 0x0000002b xor ebx, 42241BB4h 0x00000031 cmp ax, 0000009Ah 0x00000035 faddp st(3), st(0) 0x00000037 jmp 00007F8CE03930B0h 0x00000039 add ebx, C9881A27h 0x0000003f cmp dx, 009Ch 0x00000044 sub ebx, 15488258h 0x0000004a cmp dl, 00000042h 0x0000004d cmp ch, 0000006Bh 0x00000050 rdtsc

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Jump to dropped file

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00405080 FindFirstFileA,FindNextFileA,FindClose,	0_2_00405080
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00405634 FindFirstFileA,FindNextFileA,FindClose,	0_2_00405634
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00404F6C FindFirstFileA,FindClose,	0_2_00404F6C
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040F0C4 FindFirstFileA,FindNextFileA,FindClose,	0_2_0040F0C4
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040F0CC FindFirstFileA,FindNextFileA,FindClose,	0_2_0040F0CC
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040F13F FindFirstFileA,FindNextFileA,FindClose,	0_2_0040F13F
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,	0_2_004056A7
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040EA04 FindFirstFileA,FindClose,	0_2_0040EA04
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040EB16 FindFirstFileA,FindClose,	0_2_0040EB16
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040EB18 FindFirstFileA,FindNextFileA,FindClose,	0_2_0040EB18

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

Code function: 0_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,

0_2_00406D40

Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe

Thread information set: HideFromDebugger

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe

Process queried: DebugPort

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe'			Jump to behavior

Source: Z68mMCAxFZ.exe, 00000000.00000002.940244910.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: Z68mMCAxFZ.exe, 00000000.00000002.940244910.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Z68mMCAxFZ.exe, 00000000.00000002.940244910.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Z68mMCAxFZ.exe, 00000000.00000002.940244910.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: GetLocaleInfoA,		0_2_0040D74C
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: GetLocaleInfoA,		0_2_00403CB4

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

Code function: 0_2_0040F270 GetLocalTime,

0_2_0040F270

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

Code function: 0_2_0040D815 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

0_2_0040D815

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: Z68mMCAxFZ.exe, 00000000.00000003.859433978.0000000002234000.00000004.00000001.sdmp	Binary or memory string: MSASCui.exe
Source: Z68mMCAxFZ.exe, 00000000.00000003.859433978.0000000002234000.00000004.00000001.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information:

Yara detected Neshta

Source: Yara match	File source: Z68mMCAxFZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Z68mMCAxFZ.exe PID: 6284, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Multi AV Scanner detection for submitted file

Source: Z68mMCAxFZ.exe

Virustotal: Detection: 85%

Perma Link

Antivirus / Scanner detection for submitted sample

Source: Z68mMCAxFZ.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Neshta.A

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	ReversingLabs: Detection: 95%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	ReversingLabs: Detection: 95%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	ReversingLabs: Detection: 95%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Metadefender: Detection: 91%	Perma Link
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	ReversingLabs: Detection: 93%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	ReversingLabs: Detection: 95%
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Source: Z68mMCAxFZ.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.Z68mMCAxFZ.exe.400000.0.unpack	Avira: Label: W32/Neshta.A
Source: 0.0.Z68mMCAxFZ.exe.400000.0.unpack	Avira: Label: W32/Neshta.A

Compliance:

Uses 32bit PE files

Source: Z68mMCAxFZ.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Spreading:

Yara detected Neshta

Source: Yara match	File source: Z68mMCAxFZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Z68mMCAxFZ.exe PID: 6284, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Jump to behavior

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00405080 FindFirstFileA,FindNextFileA,FindClose,	0_2_00405080
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00405634 FindFirstFileA,FindNextFileA,FindClose,	0_2_00405634
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00404F6C FindFirstFileA,FindClose,	0_2_00404F6C
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040F0C4 FindFirstFileA,FindNextFileA,FindClose,	0_2_0040F0C4
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040F0CC FindFirstFileA,FindNextFileA,FindClose,	0_2_0040F0CC
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040F13F FindFirstFileA,FindNextFileA,FindClose,	0_2_0040F13F
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,	0_2_004056A7
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040EA04 FindFirstFileA,FindClose,	0_2_0040EA04
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040EB16 FindFirstFileA,FindClose,	0_2_0040EB16
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040EB18 FindFirstFileA,FindNextFileA,FindClose,	0_2_0040EB18

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

Code function: 0_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,

0_2_00406D40

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a raw input device (often for capturing keystrokes)

Source: Z68mMCAxFZ.exe, 00000000.00000003.874643754.0000000002300000.00000004.00000001.sdmp

Binary or memory string: _WinAPI_RegisterRawInputDevices.au3

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Uses 32bit PE files

Source: Z68mMCAxFZ.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Yara signature match

Source: Z68mMCAxFZ.exe, type: SAMPLE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 0.0.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 0.2.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Windows\svchost.com, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14

Creates files inside the system directory

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

File created: C:\Windows\svchost.com

Jump to behavior

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe

Process Stats: CPU usage > 98%

Sample file is different than original file name gathered from version info

Source: Z68mMCAxFZ.exe, 00000000.00000003.672068638.0000000002237000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUndladendekand7.exe vs Z68mMCAxFZ.exe
Source: Z68mMCAxFZ.exe, 00000000.00000002.939439057.0000000000190000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs Z68mMCAxFZ.exe

PE file contains strange resources

Source: Z68mMCAxFZ.exe.0.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe 8FCB4C541BDDA7D5CDA8124B48BECBAFBAFE2D82116BD6356D16FF894E1D83AD

Source: Z68mMCAxFZ.exe

Virustotal: Detection: 85%

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

File read: C:\Users\user\Desktop\Z68mMCAxFZ.exe

Jump to behavior

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Z68mMCAxFZ.exe 'C:\Users\user\Desktop\Z68mMCAxFZ.exe'
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe'
Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe'
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

File created: C:\Users\user\AppData\Local\Temp\3582-490

Jump to behavior

Source: classification engine

Classification label: mal100.rans.spre.troj.evad.winEXE@5/111@0/0

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 0000000F.00000002.938917460.0000000000560000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040802C push 00408052h; ret	0_2_0040804A
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_004070A4 push 004070D0h; ret	0_2_004070C8
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_004041D8 push 00404204h; ret	0_2_004041FC
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_004041A0 push 004041CCh; ret	0_2_004041C4
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00404256 push 00404284h; ret	0_2_0040427C
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00404258 push 00404284h; ret	0_2_0040427C
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00404210 push 0040423Ch; ret	0_2_00404234
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_004042C8 push 004042F4h; ret	0_2_004042EC
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00404290 push 004042BCh; ret	0_2_004042B4
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00404370 push 0040439Ch; ret	0_2_00404394
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00404300 push 0040432Ch; ret	0_2_00404324
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00404338 push 00404364h; ret	0_2_0040435C
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_004043E0 push 0040440Ch; ret	0_2_00404404
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_004043A8 push 004043D4h; ret	0_2_004043CC
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00410778 push 00406D36h; ret	0_2_004107C6
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040D7C0 push 00403D79h; ret	0_2_0040D809
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040D9F0 push 00403F84h; ret	0_2_0040DA14
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DA28 push 00403FBCh; ret	0_2_0040DA4C
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00411AC4 push 00408052h; ret	0_2_00411AE2
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00410B3C push 004070D0h; ret	0_2_00410B60
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DC70 push 00404204h; ret	0_2_0040DC94
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DC38 push 004041CCh; ret	0_2_0040DC5C
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00406CE0 push 00406D36h; ret	0_2_00406D2E
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DCEE push 00404284h; ret	0_2_0040DD14
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DCF0 push 00404284h; ret	0_2_0040DD14
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DCA8 push 0040423Ch; ret	0_2_0040DCCC
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DD60 push 004042F4h; ret	0_2_0040DD84
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00403D28 push 00403D79h; ret	0_2_00403D71
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DD28 push 004042BCh; ret	0_2_0040DD4C
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DDD0 push 00404364h; ret	0_2_0040DDF4
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040DD98 push 0040432Ch; ret	0_2_0040DDBC

Persistence and Installation Behavior:

Yara detected Neshta

Source: Yara match	File source: Z68mMCAxFZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Z68mMCAxFZ.exe PID: 6284, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Jump to behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Boot Survival:

Yara detected Neshta

Source: Yara match	File source: Z68mMCAxFZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Z68mMCAxFZ.exe PID: 6284, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Jump to dropped file

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00405080 FindFirstFileA,FindNextFileA,FindClose,	0_2_00405080
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00405634 FindFirstFileA,FindNextFileA,FindClose,	0_2_00405634
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_00404F6C FindFirstFileA,FindClose,	0_2_00404F6C
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040F0C4 FindFirstFileA,FindNextFileA,FindClose,	0_2_0040F0C4
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040F0CC FindFirstFileA,FindNextFileA,FindClose,	0_2_0040F0CC
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040F13F FindFirstFileA,FindNextFileA,FindClose,	0_2_0040F13F
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,	0_2_004056A7
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040EA04 FindFirstFileA,FindClose,	0_2_0040EA04
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040EB16 FindFirstFileA,FindClose,	0_2_0040EB16
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: 0_2_0040EB18 FindFirstFileA,FindNextFileA,FindClose,	0_2_0040EB18

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

Code function: 0_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,

0_2_00406D40

Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	File opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exe	Jump to behavior

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe

Thread information set: HideFromDebugger

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe

Process queried: DebugPort

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe'			Jump to behavior

Source: Z68mMCAxFZ.exe, 00000000.00000002.940244910.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: Z68mMCAxFZ.exe, 00000000.00000002.940244910.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Z68mMCAxFZ.exe, 00000000.00000002.940244910.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Z68mMCAxFZ.exe, 00000000.00000002.940244910.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: GetLocaleInfoA,		0_2_0040D74C
Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe	Code function: GetLocaleInfoA,		0_2_00403CB4

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

Code function: 0_2_0040F270 GetLocalTime,

0_2_0040F270

Source: C:\Users\user\Desktop\Z68mMCAxFZ.exe

Code function: 0_2_0040D815 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

0_2_0040D815

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: Z68mMCAxFZ.exe, 00000000.00000003.859433978.0000000002234000.00000004.00000001.sdmp	Binary or memory string: MSASCui.exe
Source: Z68mMCAxFZ.exe, 00000000.00000003.859433978.0000000002234000.00000004.00000001.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information:

Yara detected Neshta

Source: Yara match	File source: Z68mMCAxFZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Z68mMCAxFZ.exe PID: 6284, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
Source: Yara match	File source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

ID:	490869
Product:	CloudBasic
Start time:	16:52:32
Start date:	26.09.2021
Sample:	Z68mMCAxFZ.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	547612a9ff746063a74c71b009230500
SHA1:	c04b0adc612addc701e3a0336a4e8a23fbd331c4
SHA256:	bf99b231b81ab2ba895c0cbf395a5fdb5fc18d3465592150e365f31302c8250a
Filetype:	Win32 Executable (generic) a (10002005/4) 97.38%

Name	Type	MD5	SHA1	SHA256
C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E47F8A2ECDC2D4BFBBB6328B1391F1CC	A633C3106A89C083014FC9F29D559B70E93D6D69	8FCB4C541BDDA7D5CDA8124B48BECBAFBAFE2D82116BD6356D16FF894E1D83AD
C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe	PE32 executable (GUI) Intel 80386, for MS Windows	10075707D5C79CDACFE09DEF9C6D4985	7D1DD5FB7DBBCC8563911BDB3C40B244FD03C634	3D49D6B3360EB03FDD43A4C926213F8B348ABEDE3A5D8B7A4530BF8ED4AE1B72
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	PE32 executable (GUI) Intel 80386, for MS Windows	F447C4B446D5889225A9D9082145AD88	A1A380F3D3402F243E1A213C39E969D2C24CA99E	C34D1F919C306D2F2959C932CAC15FBED433AD465F71C50270DA27803952B829
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	PE32 executable (GUI) Intel 80386, for MS Windows	DE64003856A8B74AEAF33E247AF9424B	912E6F9C6B1103AAFEC7F30FE3B0F9C3F55D6650	A39859FB4CB6693CDB686B3501C0178DFF81D27375C0086805F09ABF45284F64
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	PE32 executable (GUI) Intel 80386, for MS Windows	D972E8BC4F221D69D9DF89999B74C311	3A43D069389EFDBA178DCF16EBF4A45A8B09F0F9	8E0F471BC8BAEBB5FBC3C65A9C6C75B3F23B4E94AC4C07054DAD643CEBDCA103
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	PE32 executable (GUI) Intel 80386, for MS Windows	F648557D5287EC8C3677DC5B57E1C6AC	B04F7B7273C97B1E56FD2B0BE2998D93A7327E75	647C4669A29D3D650AE1B750B2DDCFA312FA4AA64552C1D53867B6DDA6A72C73
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	PE32 executable (GUI) Intel 80386, for MS Windows	67059EAECEA081CE3E6426BCE980BFF0	C1EDD7FD96E1C367A0403DD7A8DDA32AA3E13601	BC0FBF0B4739B4ED148D96B64308CD8815EAD686DE4400BBBA49E5B90BD7D21D
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E13741E87379B8A0130CCB0F24B56D1E	C1DF66670A0370F44E9F7BE15FCB60C580992D1F	CEDC7E901AA1E9FF96BA749A3239542AD29F62B1C08EA392B721CD28D0D298C8
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	PE32 executable (GUI) Intel 80386, for MS Windows	72EC370FCAB5AC9E14C7DE1B93C0B954	B2216AE2B03F902878D852F9D52FFA704C76F61F	DB205349D14EA35D6081598FBDE492AB12BEF4A39555EB9B4F4020C5B492E039
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	PE32 executable (GUI) Intel 80386, for MS Windows	B41F70A22F31E1DA8FF057AD47499F3E	15918D00F2C8DE480C4D3749D5317468C1B14DA0	8860EEA648A0CD39281639D27B1B9C981568ACEE9C3DBABDC5D862534F70946E
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	PE32 executable (GUI) Intel 80386, for MS Windows	F25F4BF1D71532CE97C90BEEC7A56FBC	337C45D81469B760EB7ADA0316AFC262FE4C3721	B24831A423AFFF5E65032A7673D7BA4E35192C43C365FCDE75D678CAF4605F33
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	PE32 executable (GUI) Intel 80386, for MS Windows	C4CA362C5EF952BAF96EF61B59D8355D	5DEB0DAE7262FF31BD9B2C2205D55D2E5D012CEF	A679F4131244485FD10E274A510C2B76DF545838B8562E579C9805269834355E
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	PE32 executable (GUI) Intel 80386, for MS Windows	A42467B5C21814776277B4CE3456D716	B01DD2412ADA123EF3D6317F839826D37C6A27D4	B1A5063A32CB8AFD591C57AAB1A679137EE29A886AF77849A13C26537A100AD9
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	PE32 executable (GUI) Intel 80386, for MS Windows	B9A06C8C07B4BC86001ABCA5835AEED2	5EA2F32AD6F1642498CDE9F8CA74D8A70DE376E0	1531CA6AD23335F3F93231D153CB9DDEE40580A5A82D502AD6F7B54C8328D8B4
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	PE32 executable (GUI) Intel 80386, for MS Windows	7C2E8C0527C5CFF276FB2FFA314D455A	6B6FD014B9C295838E0F1F2D563C185A0004C028	41AEBB2A2B6175595684D20DF5F7B8AB8FEB2B5662530F6593287F9F72777296
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E6A82ED5EA7010F781B63E30C2377BEE	1829EE1E5E5B34C9721F4EB51E3AD09F7A13DCE2	E02365CA739F356FE66B4F49C4D11EC156B0BB512211A177A813FC7D8B0C2DFD
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E784AF0ED9D53B2A29B2EBBDDE7E470B	203533AB59D90155BE6EC83B9E7FD643869FBA9D	D8B35FBB5A6A4E3069FF8E60BB9F35670DEEB5B5933820CCC4FC9D9D4148EB78
C:\Program Files (x86)\AutoIt3\Au3Check.exe	PE32 executable (GUI) Intel 80386, for MS Windows	B4E63C549366CFCDA2363E35C197D41C	10E1078FF8D1FD5FF2080FCB659A012630FD07E8	68BE6B2F5E8181E4E36DB6F370E3110C43D702E6953735FE6843D230FA6E7A37
C:\Program Files (x86)\AutoIt3\Au3Info.exe	PE32 executable (GUI) Intel 80386, for MS Windows	A7D23C329BAABBA8B883C9B0EACCE4A5	0E2B51FF3DA7806D0F5DCB403222D06637B08738	C2521122926A26FFDB7E9D56EE6E24682F1C76B573BEE8765E9E287CB1DCAE89
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	PE32 executable (GUI) Intel 80386, for MS Windows	02879251FEBD3B13DFA84C0DBB3B9387	D2226312A4460980B036C0CFD3B7BF95752145D9	28C72711975DEA1917D0B4C996D93E945F0487DFBDEB1A0B298E9A724F6E8937
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	PE32 executable (GUI) Intel 80386, for MS Windows	32C22D658E9A54E56C54B1A2AFE1D817	E1DA8AA26A509BC23A761EB25267DCE9F8A7EF92	C957D33A54BD308948E37F020C3FD23DCBE4762DF1143EFAE8109433342DE76C
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	PE32 executable (GUI) Intel 80386, for MS Windows	9C8E99E8AD1568B91CBC2A9FE09304A8	DCD08E9FE8ACFEF7F194CF0E6759F5468FA028EC	A33D6E9432C5D3E83EE5CFEC260EB5C1396982EFC713DA6C5B31F67712272B41
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	PE32 executable (GUI) Intel 80386, for MS Windows	9B9601BFE0B0E353A4AB8B3FA54F7540	BFCC868475761DB126FBCE6D36A8F3696C00FD3F	289C2D7F33C2ACB203D47A677ABEBC41A6D4D580BFBB3E80A4AD65D35DC65AB8
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	PE32 executable (GUI) Intel 80386, for MS Windows	934C8B78754C1FB79DF08EF114600899	5A50BBC6139CF24D3785A1AC5BC1303087ACCFE6	12A68206D1263D798EB284C9A6EF654E4ACFAD20310AFAADB092B54A20358A3A
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	PE32 executable (GUI) Intel 80386, for MS Windows	B6BA74867ECBA5541827551FEEC46F7A	62AFF9292E306BC442F46D8835CDBA2F777A0BF1	8D6A0F83B4FB84B8670BB9C103071B4D40CA433876242B476DB83BDB683FC446
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	PE32 executable (GUI) Intel 80386, for MS Windows	29BAF7AE561A3CCC4EF6A6988D57324D	B2D3512E166A5F9E10FAA4E461F6EB5A6B926531	0B607DF09D9876EC9A80D77B9F2E20267B611A75DA95962FD2DACFF286E00F9F
C:\Program Files (x86)\AutoIt3\Uninstall.exe	PE32 executable (GUI) Intel 80386, for MS Windows	DF57A3FC85CD6B6CFB31C52714E2D79E	D4DA4DA44C58BB9B818CAF22C7A578FF1EDECF26	E660F04725795D12A67A796BA9A96889216C2CAE4A6ADA2459F7948428136BC1
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	PE32 executable (GUI) Intel 80386, for MS Windows	2E784E04B6470C8FDD50399F1ED4FF7E	4B51ACB85DE25350D6331202884C1F405DF8231F	B43C70781E9BA983C9EB256B24E80D998EFB3FEC878FF193C9D11709B89A9040
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	PE32 executable (GUI) Intel 80386, for MS Windows	AAB384021CCD99B08F91D550581310EA	16DE7D37E9B8312551F1EAB96FCAC0CBBA73A166	3626F66835F8FD11C6515E55E9CC7B6DA710FFCA9101632CBB69D2F7D2390E71
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	84E45C930A79BBB3239D4929503FC38C	2AED49DEAF2CF13CFAEA97FE5CF217A01E4BD08A	CAC1AE6F9B9623E171517C8AE1609A8E21626D9FBF3EE400325E371ACE843444
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	PE32 executable (GUI) Intel 80386, for MS Windows	294D120414736A7579445CCCA78F505C	4DC265A2FC75AF686DA3EC830BF9C0072AF14581	AF7E482890D77DAD13F0D5A1377DEFA83CF2D802DC1444A69FD17A464C4A446C
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	PE32 executable (GUI) Intel 80386, for MS Windows	89DC2A4E5290AE1297C2281B5CD35068	1D091812669D1D0CF0293B9D495599BF257434D9	5116F46AD2BE5B402FAD8B89350F671576D995ECCF91863D827984AE42319596
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	PE32 executable (GUI) Intel 80386, for MS Windows	61694544EA704A28532F4EC0319AC735	F6ED53FF2792797D40ECA888567873F0570698E6	4183F6849773F9EED9279D5237C93719511F605276F0EB9BF2E8B2258BBAED09
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe	PE32 executable (GUI) Intel 80386, for MS Windows	50B7F8BD51D8BEA4542C8B6FB7046568	46FE9571A136EEDD3DC35089F096D47B32EA74C8	86A782FF58F3B5F1736EF23051833E340FD56A77C1EDDDBA8ECC5A507BA47EE0
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe	PE32 executable (GUI) Intel 80386, for MS Windows	60628C314BCF2A97CCFA9CB4241A2DAB	6EF748A1568A9AE0D541C5CDF0F74430A59E4DE5	FD8BD222DB055C39D6050A10F91EEE576ADDFC37CE78F585ACC48F96E222FA90
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe	PE32 executable (GUI) Intel 80386, for MS Windows	7132D6785E73B1159F3AC9AC5DE71A1C	0EF8C262E63E3776662064D00E5C4264D0213C8B	629945249C52DDB4108FF5C239D4E2C79C92A545ECD25DAE395697831D648A5F
C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	2FECE9074EC51CAA91DDEA7FBB4FFC54	35BD848191A5C14897883B9A11BECC6DB522A88F	B4D954F33DDFC952FDD208E3EFFCD6A1E442DE8D07C9148C4771986F781C294F
C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	BA5A5D15C15E1143A35B5ACB9DA43F23	BE948D6A40AE1221B2E093B6634D695EEDFAD323	075242C15AEF5CC590E716651ED3F1F53A8BD23A37CFA60F827DBE60B7DA8918
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe	PE32 executable (GUI) Intel 80386, for MS Windows	BED5A0265D4F2739606BD0C79DB41BDB	0EAE9CA564CC3B83B4B7CAAF64FED47567C8A6D1	713E2E20A467272CF5E174DFF81954001170C7F92143A5F34C2FFAE9B85BDC04
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	3A6E83146F925E67FD9BD350F823858C	030EF0512034AE6FFA06C7B42041252A56613799	494DC48B1892964FB6D5CBB19DACBE990434EED9DEE1BD64D9E74D14681717F3
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	8D7C662937FFE3C3AA129DD3BA7B887F	F67F3B5C32BF6CC3DEA744DAAB16177DD86DBFF6	656ED573131580248ACC968FABBA2197657EAEE8DD6D0BA533A50DD34E74B603
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	CE04DA14A0724F9E950D41F9B2CC1643	EFF607BAD3A4CB05CC38065E45DC61555618A060	D90265A2653E732290DD6617ADD54CA1B2981481AE6B6C18C570D4552C84E826
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	EF92B40044CB210120E9889CA1DC1D5C	EEDCB5BA7F70F04C3D25AD321C93F978E5E1C7A8	016D35F82750ECF792D64A6CFF5D376DB69F2BA1D30BEF80978CCBE84ACFFD0B
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	7078371E0D358B86D46D6CF87987C8CD	6F58E6F33BB9242034F7C6CDCF17B637C060C8BA	2DE937273CBFE6AA5909EFD083FFE477DC7CF37739F12923E2B2FB1B1B6E17B1
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	D4B144B9963B3114F1D938F44200AE62	F14C2F8BD9BD0CAC7A682D453C58B99858D6C0CE	CB49C8EA020EABA89BB5032060928901AA90BA2530CD5D5467D15AAB489747DA
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	PE32 executable (GUI) Intel 80386, for MS Windows	43B8EBCCF6312172AF0638D6EA2E9A4B	C628EBF5D72FDA6B9BE07CB69312472906E1143B	B42F96D408CFDB35545C5900EC0E8AE72B85FC960DC4BDBDEFD0B6A4BF3A49C3
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe	PE32 executable (GUI) Intel 80386, for MS Windows	58473BD19292BBBB9CE1C6BFAE872648	D9B5084A65CF3C039D51AE4F1C39C7E5DD83DBCC	328E9B6CE1A7D1B4B8B602F1A2D61C56BF85CEC9293C55C047584937C9390C3D
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe	PE32 executable (GUI) Intel 80386, for MS Windows	9180D3CEE013A6DE40DD963A16951734	18E74AD691F4448AA451FBE5AB7D374F24CB07B4	299E81E2FE407A151C56B24E904AA2B0B9C18F712A0B43E704034939AAD1B564
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E7868326F5EF4E85A0FBAEC678D13A2C	7E57578EA08482DA52474EEB3960CD4407225A59	D702CB2F33424FDBCE4EF3CB5B2C0DA789758F4EA6A4AB772591F110369F90F4
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	4C6732F9F7CF89C1BC807F26552F0592	9790303D2B8FD2C4DEC80D34C7E7D61081DDB03B	16A32ABF53E0246C49D984F31FA56B612A818BFA4FFF7681196DEC4F6343F19F
C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	PE32 executable (GUI) Intel 80386, for MS Windows	C2C98501C8C0A38CB3B3D89B1CD09C67	8D8469485BD3995DE34512BAC18DA482A31B5DC2	EFB24F3670542E6B491E3B9092E31E5068EDC2068C986F4D96E9F8176F6DCF26
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe	PE32 executable (GUI) Intel 80386, for MS Windows	2BE98153912196C9044AB31250DEAF28	18487088B298B9E6B5E7FBDD00D5C37F2ED6AA78	47164473C9E34EC71472CB3516C4575D1C8A4484BE1308DD69AAD38CB84D03AD
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe	PE32 executable (GUI) Intel 80386, for MS Windows	10CA92590C0A328CD9DD6B232AC5B97C	CA9C9D94ACA6666E7655B9A7E3E11EAA23D84119	D6E3584260FE9CC093D4E7A33A66C201059296D5BBE30DFDFDD3AD76584192CD
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe	PE32 executable (GUI) Intel 80386, for MS Windows	C5CBA627E9C4F07BF06013E2E19A2ADF	B8678C954DE42C8D686384179EB1835E378C19E3	0215077B4DAAC5B17314C2A55673E2416ADAD7CD34E8C33AE748AE22C59A2CC5
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe	PE32 executable (GUI) Intel 80386, for MS Windows	2CE4DFB3663A6C0B5EA20EA10DECE139	A9D39DDD39D9419D1B0A836E9110BC5E7CE071DA	006DC11C857D8EC872D4ECFB6CF70FB1BAB5C95AF8773BBEC11E07C2E0BEFC27
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe	PE32 executable (GUI) Intel 80386, for MS Windows	9AC378232CF66E98AC476EE00ACD8A6B	ADDECA30D06C773A5C6D209646EC64DC0CDF3039	F3C6416304690DD5950F44E4721CE140B8932BE7C130204DEE2A623998F0F716
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe	PE32 executable (GUI) Intel 80386, for MS Windows	FDB7DA820D2F539A317A598BA31067C8	C9D147B854A2BB03D782A3BA1C645C525DA0EBD8	2D98E44BE09EDB2627AAB1A7AC69FF72CC7C06E24CA77B9F4C14A602B5DD78BB
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe	PE32 executable (GUI) Intel 80386, for MS Windows	5BC82420D22E028C2481B8150AD4F793	9DE41D3BA5DBF3DC259110C5C34E216315DFD327	2CAAF2C35A46F53327B11B7EE33B34E1DB112D5C83798BC1B1FEB11A7DD38DD1
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe	PE32 executable (GUI) Intel 80386, for MS Windows	49108FC1C6FF24CD49C200E2D7A44B86	E79038C6363781BF92D4487BD77A4A770352E948	06197B71B98A7C4FC08B2B354B6B5DE011BA11CF958827BEE3438B170A27F17F
C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	PE32 executable (GUI) Intel 80386, for MS Windows	50B7F8BD51D8BEA4542C8B6FB7046568	46FE9571A136EEDD3DC35089F096D47B32EA74C8	86A782FF58F3B5F1736EF23051833E340FD56A77C1EDDDBA8ECC5A507BA47EE0
C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe	PE32 executable (GUI) Intel 80386, for MS Windows	47848F50CD963815CF2894B7C284095C	8F8E03058352E172E9158782BC8E315D026CD720	115C7F82BED3C1779F50CE53273248152587D8F9421B933C10534B84E16E7815
C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	PE32 executable (GUI) Intel 80386, for MS Windows	60628C314BCF2A97CCFA9CB4241A2DAB	6EF748A1568A9AE0D541C5CDF0F74430A59E4DE5	FD8BD222DB055C39D6050A10F91EEE576ADDFC37CE78F585ACC48F96E222FA90
C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe	PE32 executable (GUI) Intel 80386, for MS Windows	7132D6785E73B1159F3AC9AC5DE71A1C	0EF8C262E63E3776662064D00E5C4264D0213C8B	629945249C52DDB4108FF5C239D4E2C79C92A545ECD25DAE395697831D648A5F
C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe	PE32 executable (GUI) Intel 80386, for MS Windows	95ED8DD6C4D471F68911840679CA1F9B	5BDD0A4778F72B6AC95FEEFF108F74E342981690	82B98FAF27483CB4C8957A2BC6306C47D59559046C8DCDC03C708C77C36E2417
C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe	PE32 executable (GUI) Intel 80386, for MS Windows	4141A0DE0BCBE19FA9E93DB323462679	88F7E506A247D882C4F4E924D1E3DAB0FC077387	3CD849C610540723B3785865DFCC8F65B820003251B39ED6594A8A979F20E948
C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe	PE32 executable (GUI) Intel 80386, for MS Windows	18E80CD6901FFDEDD81B44D0526240D4	640A66FC69235A0B3677A010376FC607CC2B50E6	3A70FBA9C369E6FC2DB35AF45D1201833ADEB33B1ACE24603A582D2BACE6ACDF
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe	PE32 executable (GUI) Intel 80386, for MS Windows	F56F560D473A7660D3AD44E731930A06	B71090C328FF4234B213D76689591DE15DEBD0F3	9B7384DC0D5DBA8C5161DB5C42D3075A4281716F741F10DEF974C5C680308CD0
C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	4DA76295D7246E94AC917F192A2ACE84	58964579A019BEAB01488F1B1FD0A83C4A38B0CB	D1D94327BEFFD6F453E862BFE9B715C980B20F33F38C8825AA2B2DF1DF33F9A5
C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe	PE32 executable (GUI) Intel 80386, for MS Windows	3AE73C8D42CF093E893717A04A20D5F8	96384CCD613D795E953BFD876250C86007EF74D6	BAE7AFCEBAEF2A3BB243EFAF1305AED127D21B978D7C4335109F2A403A4C2CE1
C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	8BA32D4C4C59A22D2A5A1BEAB8B004C7	AA91417C5BA67F09E743A7740662EED65C4873EA	2B0E0FBC461BED861EAF961F5058A18252A8A517008660D46063A1DCDF10DD02
C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	2355BC5DCE8E63203BD523F6A3EF11C9	06E09B957EC99F2635D39BD9D3EF6FB8C26FDD8F	37D5B62049B2ECBAC53E3126E68E2FA0416A2E220C97E9951BD71FFF52E514A9
C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	BD61FF1B20A7530ECF797894EE1316DC	A9601D8B56C247B801E5D5A89377EEFA6FF37FA2	29F10DE4B67C8BF585A581AE8893069FA52214A18CC4444D3E207A7A657EBD02
C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	8F4A79DC0DD71E8CA092D84C0260F92D	CEB13BACFAE68CFE94561487FC6E0AE0464C6A58	2480D138EE436D182337435EF36F9A895ED9A98DA620C752976D575C08ECD390
C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe	PE32 executable (GUI) Intel 80386, for MS Windows	B4F5C898517A6B40402611BF65397423	F6E1F64CA7C05131682153B67E5EF5C54533F1DE	E634A7EECA5A30B359DD622BA3A3BDBF5729173A416C86C962647B2B7A1F286C
C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	77E4E96AC817B6D2DCC671C75B3AF7D5	2B3C254A156F9CD60BD9EF5B5832C7BC8F7FF9E2	657B05CB38BED57B93383818722F9058FED9966D1CDA1AB5A00034CB0F6E9A0B
C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	C5ECA751B54F507CCB797556E24D9EDA	30949D80A7FC4778ACCD14FA9A35B3910F0C96D2	8F2BF3E7F90A0A85C2B121E448BF1C0BD8B5C8B860E64C1ABF64DBBA8C20111C
C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe	PE32 executable (GUI) Intel 80386, for MS Windows	1EF797E5E199041B8A0EB41A50E73185	2D059C707E2738DD623FF8E4D336D8B90B482451	0BB888F08C57AD222A544EB3A73478B4747059277A80F21A03E5655FA21CE119
C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	D528E65D0A3CFF610803965BAB5D42EE	A01448DD0C03BAF9B1E287BCB87A58450084BFFA	C82DAD16438E79EE2ABC34D1B405F09DE3844FDEF99F9115B58E7D1F7C90C4E9
C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	2249CAFC0B359EA41F137AB87DC151FA	DABA42EFF4B9D3251E409CFD98A2BD3B9A672ED3	3478297533C741CBF62D8FA8F2D820089E3777EBFD6DCDAD50F8FBCF93FB6304
C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	F3279F5053B3112B5299C08136AE58E9	5B4C8EA82DC1E296CB31EC7B439B8B6E52795995	1A1E7090747C3F600989939E12DA73BD2E85FFCAD10159E7AC52D374DA11874A
C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	A937F48D8198AB59DF93A63E834C4AAF	4DA8ED9F7A886A8437562470A199744DF6E88F24	CA2CA4A45AB550D894AA4B16919FF38ABB7784E532C327891DF71645AB845C6A
C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	EA546BBE947027BA147DE2719F53D051	38B150F5A8BE8E19B5D1F2824F8EDE784DE2C6E6	930F29A1D4152D23CB5F1E60693191F2865F56EA5474BF720BDC286D518CD9C1
C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	072EDD1A5D3A99C26EA9987890989B31	6ECC5A3EBEB7EC6EEBBEF28CEB67079A92F57107	598CA2D9EB855C5D53C9C19374AFFAAE2E4A6A9C9EBF1F46D2B025B5BD8731B4
C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	187B658322698CB74D48476EB2ECB171	3C4371425F833F6C7643E09BEBA5762B67081611	7460BB6E5A2E43F3C737730FE5F9FC5E199072C61B870C07FF35207F333EE496
C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	A3977FA0A7C20B05EC69FADE4F852D71	FE2C747F4DA1C5C85C55EB755CA32D59B0B1EC43	1F3B9AB4F318C962967E9418DFEEBF251EF610A0ECE5570E166D84B6A730A932
C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe	PE32 executable (GUI) Intel 80386, for MS Windows	A651847108A83A8B2A3B75A66403B0DC	EA7CFC3C984B676C322578E80DCD78DDA75E5A2C	A1616D454E5EE365285A3E03455CED1FD70D8EEB682D47A8379EB08CF801D325
C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	FB0697C512E65305CF24EFA18EC58086	B924F5AFE1A14163E20DB2CDCE980017C1461D1E	CCA73F1C0206BBB9D6567616808D4BADAFAB7796ED40FC86097032802F2381D3
C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	2DCEF042EE374AC5BA2307EE6D97FFAE	3E39AD4F60367BAFB47B3759253064F7BA57A92B	C83153D11C1D63FF5C330035DD66A958BF19EC465969D82DE87351A2C5F7A99D
C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	D7BF211CED7D30A27312CE4DA2487EE1	CE664FBA8F5BEAA728CB7EAE107C5ED3810A5DDF	9266432725D9466253A4F1F609C9A2DD85FC82B3A0E3A6C43FCB1A267C976265
C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	E883EB6C4D29614F1887EDF6A2412659	33DAF7D41A5C6D4D8AB1C91160F775D9810E10F9	BE47F38C1D1A3806AD27867DF41BF62AFB77FADCAD4F00CF3B68FD469E1B2154
C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	A851E7A4D035C32FCB2830718B34F01C	6D89FD230ADE8F14971A600591A8B6FAF67CD770	73610C44EE38B1785E018C2BC869052729D56C65545F52EE5D2AB89C8C7B6DCE
C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe	PE32 executable (GUI) Intel 80386, for MS Windows	2DBF9767B1524319753ADE899740500C	D684A9E8CC28A5185CF477554DF2065D73126877	14143B435D60E49B251E80E37857E98D36088EB0CBE02C4C630F381E37BA8F0B
C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	8F8291D79A298A9B071864C651BB0794	F7614B1E0D476F1CBC75B5D698711F9DF460F773	E9562B1B83495930753D145E9834CCA9128745E3163C060A4AA3D7DA62AA468F
C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	2CF8F2ECEB42B70A5493D1EAEAC6B20A	B411993C6352F4B026153AE4010A6C2D7B1ACE3B	A85EB54DE3BE548DBE89BC47098B417F4C1029BA084D0B15F75687D0751EF44E
C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	62A21A597FA5F5C489D266A87694FE61	8A9C326ABA5638F6B91BA8DD18D258998CC9D25B	D35B0D2411B6D5CDE4F61E5EBD70BBB1644AAE5E95EF417E3E885B20C194DE49
C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	1F414E9B0D1C3584418658367EC9242F	5D11420BEB0507F3A71925E2A0A2DC36EA1265DF	CEB5DB2FF4B04E0C3683D039DB97ACC145C5FB9DD026A7DC9B84F12D424E9488
C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe	PE32 executable (GUI) Intel 80386, for MS Windows	D4811ACDE0C5F48DACC1BBC3E310E8D8	06F814E81524B40587E503E32B8865D66A8383A6	3B5D056392B165F9001BF785E6F91187B75A67F0209E5C189AE0764A66FF3E10
C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe	PE32 executable (GUI) Intel 80386, for MS Windows	100E15577B28178663E63AB854D28B4A	DC7D931ECDA8C09D0D2B43988E6D689A20E080F1	238254BCE07446426D478897AC3DE27DE2B9606B2E8477F7DDAF8A20A2999FC4
C:\Program Files (x86)\Microsoft Office\Office16\misc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	316C81CA54C5FAC241D16CA25E7B341C	9E1199BCB359EA9146EAD52E765F3913A791CD7A	9CE3D752106B78CBB5CF3DF574CD084177C4CF97FF35CC6E983EAD6F4A3F6CE1
C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe	PE32 executable (GUI) Intel 80386, for MS Windows	62F99051442ED97159B8D9CC03BBF8DC	E22CF810217DFC5700C2C629162EF37CA672C957	C83C04BB7EBAC75F623938C167AD7F09606F2E0B786A1CCAFA12E080F9455E9A
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E9116F5812E84117738237DE522B5445	367077F61C829CCA2196A1FB3DD837DCB0933BE2	70ED68891E1B8B9EBEBDFAC5E78E5A2C96A494A309E6E86EDFBE1507C1AAFECD
C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	PE32 executable (GUI) Intel 80386, for MS Windows	5BFD09277E78C899F354E5E1144B162A	41A9E6398CCD75ABF1B0E482A196EA27E6E3E9F1	043710D790F7C99AA46C0C6347CC38046AA1B097519DB5F6A257B8E9B5FF578E
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	PE32 executable (GUI) Intel 80386, for MS Windows	4C436BAC03F954F21B3D6192A898EDE3	1817116645BC8D2C0FB3653694D9DEDB990D4D0A	2DFB8EEC68A9B0730567D2E18C9F4FDD2343238C6A2F4CA41750B229D3E3AD38
C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E1BDE940ECE6F7C7F80841740A907C05	188CE476AF1396E98E7D95EC6B3D22DADC85F9DE	B4EDE55B8093B7E5BB26CF08684B3670B7890591FCCFBEC83AF2F79907401239
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	PE32 executable (GUI) Intel 80386, for MS Windows	933DB9DADE1B2ADDE200F742940F61C9	19208F6EE0F07F6BF61A9E8FA04BB6B299A2C512	CFA2C4E5DC5AE16C510BC789B478D13F9EC05372DBADCE8C0E78A7DCFC16A3DC
C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	PE32 executable (GUI) Intel 80386, for MS Windows	60738E3D150CFDD2CD11C779ED82C473	ED9010E56426DD75DA04F45A22C6964A06DB52C0	AD8620D29F365145B787B9225905089FA1205A6A67775BD36EE6FF66F9AE56EB
C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	PE32 executable (GUI) Intel 80386, for MS Windows	6A3C227401357DD0ACEE2988511EC44C	2CB5F9BFC06F902D3B8ADCEBDF7A6DB5E8D1815A	67FD35785411A8926559D94CF258C6CC40A1D2683B36CBD3E99124B43D3F4307
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe	PE32 executable (GUI) Intel 80386, for MS Windows	49108FC1C6FF24CD49C200E2D7A44B86	E79038C6363781BF92D4487BD77A4A770352E948	06197B71B98A7C4FC08B2B354B6B5DE011BA11CF958827BEE3438B170A27F17F
C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe	PE32 executable (GUI) Intel 80386, for MS Windows	6CE7CC1F376F6BD9D090EAF04EF72DFE	FB2693061F91F2C9FA4480EDAC7CAE0FA7602EC7	2E87815522531721634BE2EF071B1292612FC7A8A07E785645C37EAF56E0A6E9
C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exe	PE32 executable (GUI) Intel 80386, for MS Windows	BB762A775319A10BBC68B0EA9822F00E	6BE26E938DCC437BDE58003D1314412C1EAB6550	1AC2F8C8F2D4F2257C9F762D44E760420940AE2E518DD4C5A2DD573077BB93A3
C:\Windows\svchost.com	PE32 executable (GUI) Intel 80386, for MS Windows	15D8AB38054A766318C235EE74AC10E8	836C007D0760F9BA204F73553518004C2D7A6746	0A856419B518368CB9945D8BFB2B05FB2763DB8A9BCA7F5280CA1A487855A4EC

Windows Analysis Report Z68mMCAxFZ.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map