Windows Analysis Report KFoTnHP6B2.exe

Overview

General Information

Sample Name: KFoTnHP6B2.exe
Analysis ID: 510391
MD5: df330ab2a2e5aa4ac947315ee3f93992
SHA1: 76b5d1eee342b47fe58e2136a067712cbd210351
SHA256: 99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f
Tags: exe
Infos:

Most interesting Screenshot:

Detection

FormBook Neshta
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Neshta
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Infects executable files (exe, dll, sys, html)
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Machine Learning detection for sample
Injects a PE file into a foreign processes
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: KFoTnHP6B2.exe Virustotal: Detection: 32% Perma Link
Source: KFoTnHP6B2.exe ReversingLabs: Detection: 34%
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.267620652.000000000F03A000.00000004.00000001.sdmp, type: MEMORY
Machine Learning detection for sample
Source: KFoTnHP6B2.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.0.KFoTnHP6B2.exe.1d0000.4.unpack Avira: Label: W32/Delf.I
Source: 2.0.KFoTnHP6B2.exe.1d0000.12.unpack Avira: Label: W32/Delf.I
Source: 2.0.KFoTnHP6B2.exe.1d0000.18.unpack Avira: Label: W32/Delf.I
Source: 2.0.KFoTnHP6B2.exe.1d0000.8.unpack Avira: Label: W32/Delf.I
Source: 2.0.KFoTnHP6B2.exe.1d0000.22.unpack Avira: Label: W32/Delf.I
Source: 0.2.KFoTnHP6B2.exe.f030000.2.unpack Avira: Label: W32/Delf.I
Source: 2.0.KFoTnHP6B2.exe.1d0000.24.unpack Avira: Label: W32/Delf.I
Source: 2.0.KFoTnHP6B2.exe.1d0000.10.unpack Avira: Label: W32/Delf.I
Source: 2.0.KFoTnHP6B2.exe.1d0000.20.unpack Avira: Label: W32/Delf.I
Source: 2.0.KFoTnHP6B2.exe.1d0000.14.unpack Avira: Label: W32/Delf.I
Source: 2.2.KFoTnHP6B2.exe.1d0000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 2.0.KFoTnHP6B2.exe.1d0000.6.unpack Avira: Label: W32/Delf.I
Source: 2.2.KFoTnHP6B2.exe.1da698.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.0.KFoTnHP6B2.exe.1d0000.16.unpack Avira: Label: W32/Delf.I

Compliance:

barindex
Uses 32bit PE files
Source: KFoTnHP6B2.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: P:\Target\x86\ship\graph\x-none\graph.pdbaph.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000(B4>B4TB4vB4 source: GRAPH.EXE.2.dr
Source: Binary string: wntdll.pdbUGP source: KFoTnHP6B2.exe, 00000000.00000003.252882063.000000000F070000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: KFoTnHP6B2.exe, 00000000.00000003.252882063.000000000F070000.00000004.00000001.sdmp
Source: Binary string: E:\delivery\Dev\wix36_dev11\build\ship\x86\x86\burn.pdb source: vcredist_x86.exe.2.dr
Source: Binary string: aph.pdb source: GRAPH.EXE.2.dr
Source: Binary string: P:\Target\x86\ship\graph\x-none\graph.pdb source: GRAPH.EXE.2.dr

Spreading:

barindex
Yara detected Neshta
Source: Yara match File source: 2.2.KFoTnHP6B2.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.522605654.00000000001D9000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KFoTnHP6B2.exe PID: 4932, type: MEMORYSTR
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_00405E93 FindFirstFileA,FindClose, 0_2_00405E93
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054BD
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_00402671 FindFirstFileA, 2_2_00402671
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_00405E93 FindFirstFileA,FindClose, 2_2_00405E93
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 2_2_004054BD
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D5080 FindFirstFileA,FindNextFileA,FindClose, 2_2_001D5080
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D5634 FindFirstFileA,FindNextFileA,FindClose, 2_2_001D5634
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D4F6C FindFirstFileA,FindClose, 2_2_001D4F6C
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D56A7 FindFirstFileA,FindNextFileA,FindClose, 2_2_001D56A7
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D6D40 GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA, 2_2_001D6D40
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File opened: C:\Documents and Settings\All Users\ Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File opened: C:\Documents and Settings\All Users\Application Data\ Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\11399\ Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\ Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\ Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\ Jump to behavior
Source: KFoTnHP6B2.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: KFoTnHP6B2.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Aut2exe_x64.exe.2.dr String found in binary or memory: http://www.autoitscript.com/autoit3/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: KFoTnHP6B2.exe, 00000000.00000002.265737004.000000000066A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: KFoTnHP6B2.exe, 00000002.00000003.448360656.0000000002280000.00000004.00000001.sdmp Binary or memory string: _WinAPI_RegisterRawInputDevices.au3
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404FC2

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.267620652.000000000F03A000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.267620652.000000000F03A000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.267620652.000000000F03A000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: KFoTnHP6B2.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 2.0.KFoTnHP6B2.exe.1d0000.18.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.8.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.12.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.4.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.20.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.12.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.8.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.22.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.22.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 0.2.KFoTnHP6B2.exe.f030000.2.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.24.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.24.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.14.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.10.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.20.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.14.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.18.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 0.2.KFoTnHP6B2.exe.f030000.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.2.KFoTnHP6B2.exe.1d0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.6.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.16.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 2.0.KFoTnHP6B2.exe.1d0000.16.unpack, type: UNPACKEDPE Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000002.00000000.254262748.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000002.00000000.258305894.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000000.00000002.267620652.000000000F03A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.267620652.000000000F03A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.260372806.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000002.00000000.261268435.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000002.00000000.263822503.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000002.00000000.256253314.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000002.00000000.264363757.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000002.00000000.262239992.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000002.00000000.255320812.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000000.00000002.267609639.000000000F030000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 00000002.00000000.257135869.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe, type: DROPPED Matched rule: SUSP_Unsigned_GoogleUpdate date = 2019-08-05, author = Florian Roth, description = Detects suspicious unsigned GoogleUpdate.exe, reference = Internal Research, score = 5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354
Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe, type: DROPPED Matched rule: SUSP_Unsigned_GoogleUpdate date = 2019-08-05, author = Florian Roth, description = Detects suspicious unsigned GoogleUpdate.exe, reference = Internal Research, score = 5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe, type: DROPPED Matched rule: SUSP_Unsigned_GoogleUpdate date = 2019-08-05, author = Florian Roth, description = Detects suspicious unsigned GoogleUpdate.exe, reference = Internal Research, score = 5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe, type: DROPPED Matched rule: SUSP_Unsigned_GoogleUpdate date = 2019-08-05, author = Florian Roth, description = Detects suspicious unsigned GoogleUpdate.exe, reference = Internal Research, score = 5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED Matched rule: SUSP_NullSoftInst_Combo_Oct20_1 date = 2020-10-06, hash3 = a9ca1d6a981ccc8d8b144f337c259891a67eb6b85ee41b03699baacf4aae9a78, hash2 = 93951379e57e4f159bb62fd7dd563d1ac2f3f23c80ba89f2da2e395b8a647dcf, author = Florian Roth, description = Detects suspicious NullSoft Installer combination with common Copyright strings, reference = https://twitter.com/malwrhunterteam/status/1313023627177193472, score = 686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FB
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 2_2_004030FB
Creates files inside the system directory
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Windows\svchost.com Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_004047D3 0_2_004047D3
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_004061D4 0_2_004061D4
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_72C13070 0_2_72C13070
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_72C15AEE 0_2_72C15AEE
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_72C15AFD 0_2_72C15AFD
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_72C130BA 0_2_72C130BA
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_004047D3 2_2_004047D3
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_004061D4 2_2_004061D4
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001DE26B 2_2_001DE26B
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001DFC6C 2_2_001DFC6C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: String function: 00402A29 appears 51 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_72C15ECC CreateProcessW,NtQueryInformationProcess,VirtualAllocEx,CreateRemoteThread,SuspendThread, 0_2_72C15ECC
Sample file is different than original file name gathered from version info
Source: KFoTnHP6B2.exe, 00000000.00000003.256721872.000000000F31F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs KFoTnHP6B2.exe
Source: KFoTnHP6B2.exe, 00000002.00000002.523908509.0000000000560000.00000004.00000010.sdmp Binary or memory string: OriginalFilename vs KFoTnHP6B2.exe
Source: KFoTnHP6B2.exe Virustotal: Detection: 32%
Source: KFoTnHP6B2.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File read: C:\Users\user\Desktop\KFoTnHP6B2.exe Jump to behavior
Source: KFoTnHP6B2.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\KFoTnHP6B2.exe 'C:\Users\user\Desktop\KFoTnHP6B2.exe'
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process created: C:\Users\user\Desktop\KFoTnHP6B2.exe 'C:\Users\user\Desktop\KFoTnHP6B2.exe'
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process created: C:\Users\user\Desktop\KFoTnHP6B2.exe 'C:\Users\user\Desktop\KFoTnHP6B2.exe' Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Users\user~1\AppData\Local\Temp\nso7270.tmp Jump to behavior
Source: classification engine Classification label: mal100.spre.troj.evad.winEXE@4/111@0/0
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar, 0_2_00402053
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404292
Source: KFoTnHP6B2.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: Binary string: P:\Target\x86\ship\graph\x-none\graph.pdbaph.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000(B4>B4TB4vB4 source: GRAPH.EXE.2.dr
Source: Binary string: wntdll.pdbUGP source: KFoTnHP6B2.exe, 00000000.00000003.252882063.000000000F070000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: KFoTnHP6B2.exe, 00000000.00000003.252882063.000000000F070000.00000004.00000001.sdmp
Source: Binary string: E:\delivery\Dev\wix36_dev11\build\ship\x86\x86\burn.pdb source: vcredist_x86.exe.2.dr
Source: Binary string: aph.pdb source: GRAPH.EXE.2.dr
Source: Binary string: P:\Target\x86\ship\graph\x-none\graph.pdb source: GRAPH.EXE.2.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001E4064 push ebx; ret 2_2_001E4065
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D80C0 push 001D80E6h; ret 2_2_001D80DE
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D70F4 push 001D7120h; ret 2_2_001D7118
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D41A0 push 001D41CCh; ret 2_2_001D41C4
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D41D8 push 001D4204h; ret 2_2_001D41FC
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D4210 push 001D423Ch; ret 2_2_001D4234
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D4258 push 001D4284h; ret 2_2_001D427C
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D4256 push 001D4284h; ret 2_2_001D427C
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D4290 push 001D42BCh; ret 2_2_001D42B4
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D42C8 push 001D42F4h; ret 2_2_001D42EC
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D4300 push 001D432Ch; ret 2_2_001D4324
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D4338 push 001D4364h; ret 2_2_001D435C
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001E3B4B push edx; retf 2_2_001E3B4D
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D4370 push 001D439Ch; ret 2_2_001D4394
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D43A8 push 001D43D4h; ret 2_2_001D43CC
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D43E0 push 001D440Ch; ret 2_2_001D4404
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D6CE0 push 001D6D36h; ret 2_2_001D6D2E
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D3D28 push 001D3D79h; ret 2_2_001D3D71
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D3F58 push 001D3F84h; ret 2_2_001D3F7C
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D3F90 push 001D3FBCh; ret 2_2_001D3FB4

Persistence and Installation Behavior:

barindex
Yara detected Neshta
Source: Yara match File source: 2.2.KFoTnHP6B2.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.522605654.00000000001D9000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KFoTnHP6B2.exe PID: 4932, type: MEMORYSTR
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE Jump to behavior
Drops PE files with a suspicious file extension
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Windows\svchost.com Jump to dropped file
Drops executable to a common third party application directory
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Windows\svchost.com Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Users\user\AppData\Local\Temp\nsz72B0.tmp\oxtrp.dll Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\ChromeSetup.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File created: C:\Windows\svchost.com Jump to dropped file

Boot Survival:

barindex
Yara detected Neshta
Source: Yara match File source: 2.2.KFoTnHP6B2.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.522605654.00000000001D9000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KFoTnHP6B2.exe PID: 4932, type: MEMORYSTR
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Windows\svchost.com Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\ChromeSetup.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE Jump to dropped file
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_00405E93 FindFirstFileA,FindClose, 0_2_00405E93
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054BD
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_00402671 FindFirstFileA, 2_2_00402671
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_00405E93 FindFirstFileA,FindClose, 2_2_00405E93
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 2_2_004054BD
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D5080 FindFirstFileA,FindNextFileA,FindClose, 2_2_001D5080
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D5634 FindFirstFileA,FindNextFileA,FindClose, 2_2_001D5634
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D4F6C FindFirstFileA,FindClose, 2_2_001D4F6C
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D56A7 FindFirstFileA,FindNextFileA,FindClose, 2_2_001D56A7
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D6D40 GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA, 2_2_001D6D40
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File opened: C:\Documents and Settings\All Users\ Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File opened: C:\Documents and Settings\All Users\Application Data\ Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\11399\ Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\ Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\ Jump to behavior
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe File opened: C:\Documents and Settings\All Users\Application Data\Application Data\ Jump to behavior

Anti Debugging:

barindex
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_72C13070 lqcuopia,GetProcessHeap,RtlAllocateHeap,memset,VirtualProtect, 0_2_72C13070
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_72C154DA mov eax, dword ptr fs:[00000030h] 0_2_72C154DA
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_72C157DE mov eax, dword ptr fs:[00000030h] 0_2_72C157DE
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_72C156EE mov eax, dword ptr fs:[00000030h] 0_2_72C156EE
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_72C1579F mov eax, dword ptr fs:[00000030h] 0_2_72C1579F
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_72C1581C mov eax, dword ptr fs:[00000030h] 0_2_72C1581C

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Memory written: C:\Users\user\Desktop\KFoTnHP6B2.exe base: 1D0000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Process created: C:\Users\user\Desktop\KFoTnHP6B2.exe 'C:\Users\user\Desktop\KFoTnHP6B2.exe' Jump to behavior
Source: KFoTnHP6B2.exe, 00000002.00000002.526204897.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: KFoTnHP6B2.exe, 00000002.00000002.526204897.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: KFoTnHP6B2.exe, 00000002.00000002.526204897.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: KFoTnHP6B2.exe, 00000002.00000002.526204897.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: GetLocaleInfoA, 2_2_001D3CB4
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 2_2_001D57D8 GetLocalTime, 2_2_001D57D8
Source: C:\Users\user\Desktop\KFoTnHP6B2.exe Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FB

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: KFoTnHP6B2.exe, 00000002.00000003.398666991.00000000021B4000.00000004.00000001.sdmp Binary or memory string: MSASCui.exe
Source: KFoTnHP6B2.exe, 00000002.00000003.398666991.00000000021B4000.00000004.00000001.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information:

barindex
Yara detected Neshta
Source: Yara match File source: 2.2.KFoTnHP6B2.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.522605654.00000000001D9000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KFoTnHP6B2.exe PID: 4932, type: MEMORYSTR
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.267620652.000000000F03A000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.267620652.000000000F03A000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510391 Sample: KFoTnHP6B2.exe Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 24 Malicious sample detected (through community Yara rule) 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Yara detected Neshta 2->28 30 3 other signatures 2->30 6 KFoTnHP6B2.exe 17 2->6         started        process3 file4 14 C:\Users\user\AppData\Local\...\oxtrp.dll, PE32 6->14 dropped 32 Drops PE files with a suspicious file extension 6->32 34 Injects a PE file into a foreign processes 6->34 10 KFoTnHP6B2.exe 4 6->10         started        signatures5 process6 file7 16 C:\Windows\svchost.com, PE32 10->16 dropped 18 C:\Users\user\AppData\Local\...\setup.exe, PE32 10->18 dropped 20 C:\ProgramData\...\vcredist_x86.exe, PE32 10->20 dropped 22 105 other files (98 malicious) 10->22 dropped 36 Creates an undocumented autostart registry key 10->36 38 Drops executable to a common third party application directory 10->38 40 Infects executable files (exe, dll, sys, html) 10->40 signatures8
No contacted IP infos