Windows Analysis Report
IntelCpHeciSvc.exe

Overview

General Information

Sample Name:	IntelCpHeciSvc.exe
Analysis ID:	877850
MD5:	6b4a5a412e90721fba5170a25caefbd4
SHA1:	7796314ed7b9b9472b98d6efbb93164e44877c34
SHA256:	62271e4b8eeb27837dda10e85fb4b4a8f0c54b319ea06d28ffd56fab022d6f18
Tags:	exe
Infos:

Detection

Nanocore, Neshta

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Neshta

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Infects executable files (exe, dll, sys, html)

Drops PE files with a suspicious file extension

Drops executable to a common third party application directory

Machine Learning detection for sample

.NET source code contains potential unpacker

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Drops executables to the windows directory (C:\Windows) and starts them

Uses dynamic DNS services

Uses 32bit PE files

Yara signature match

Drops PE files to the application program directory (C:\ProgramData)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.morphisec.com/syk-crypter-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Name	Description	Attribution	Blogpost URLs	Link
neshta	Neshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."	No Attribution	https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html https://www.mandiant.com/resources/pe-file-infecting-malware-ot https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest https://www.virusradar.com/en/Win32_Neshta.A/description	https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta

Signatures

AV Detection

Found malware configuration

Source: 00000003.00000002.403891013.00000000134B0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "7d265ee0-5eff-4ffb-9f35-947e4a7e", "Group": "Default", "Domain1": "", "Domain2": "googleusercontent.ddns.net", "Port": 54984, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for submitted file

Source: IntelCpHeciSvc.exe	ReversingLabs: Detection: 97%
Source: IntelCpHeciSvc.exe	Virustotal: Detection: 90%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: IntelCpHeciSvc.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe	Avira: detection malicious, Label: W32/Neshta.A

Multi AV Scanner detection for dropped file

Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe	ReversingLabs: Detection: 95%
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe	Virustotal: Detection: 92%	Perma Link
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	ReversingLabs: Detection: 95%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.132\GoogleUpdateSetup.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\Install\{3560B2D0-8C42-4C08-AD8B-F3DF39FC149C}\GoogleUpdateSetup.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE	ReversingLabs: Detection: 96%
Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE	ReversingLabs: Detection: 96%

Yara detected Nanocore RAT

Source: Yara match	File source: IntelCpHeciSvc.exe, type: SAMPLE
Source: Yara match	File source: 3.2.dhcpmon.exe.134f6ddc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.IntelCpHeciSvc.exe.1bd64629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dhcpmon.exe.134f6ddc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dhcpmon.exe.134f1fa6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dhcpmon.exe.134fb405.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.403891013.00000000134B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.341781141.0000000002184000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.342421463.00000000006C2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.403372406.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IntelCpHeciSvc.exe PID: 5760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: IntelCpHeciSvc.exe PID: 6824, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\DHCP Monitor\dhcpmon.exe, type: DROPPED

Machine Learning detection for sample

Source: IntelCpHeciSvc.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe	Joe Sandbox ML: detected

Uses 32bit PE files

Source: IntelCpHeciSvc.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll

Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Directory created: C:\Program Files\DHCP Monitor			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Directory created: C:\Program Files\DHCP Monitor\dhcpmon.exe			Jump to behavior

Source:	Binary string: C:\Windows\dll\mscorlib.pdbv source: IntelCpHeciSvc.exe, 00000001.00000002.610031860.0000000000B66000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 4e089\mscorlib.pdb source: IntelCpHeciSvc.exe, 00000001.00000002.610031860.0000000000B66000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbSpec source: IntelCpHeciSvc.exe, 00000001.00000002.610031860.0000000000B66000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: IntelCpHeciSvc.exe, 00000001.00000002.610031860.0000000000B66000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: IntelCpHeciSvc.exe, 00000001.00000002.610031860.0000000000B66000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Google\Update\Install\{3560B2D0-8C42-4C08-AD8B-F3DF39FC149C}\GoogleUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.132\GoogleUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	System file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Jump to behavior

Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File opened: C:\Documents and Settings\All Users\	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File opened: C:\Documents and Settings\All Users\Application Data\	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\11399\	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\	Jump to behavior

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: googleusercontent.ddns.net

Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Code function: 1_2_00007FFDC2A93288	1_2_00007FFDC2A93288
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Code function: 1_2_00007FFDC2A9301D	1_2_00007FFDC2A9301D
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Code function: 1_2_00007FFDC2A9CFB9	1_2_00007FFDC2A9CFB9
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Code function: 1_2_00007FFDC2A997AD	1_2_00007FFDC2A997AD
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Code function: 1_2_00007FFDC2A9CD1D	1_2_00007FFDC2A9CD1D
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Code function: 1_2_00007FFDC2A9EB58	1_2_00007FFDC2A9EB58
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Code function: 1_2_00007FFDC2A932B9	1_2_00007FFDC2A932B9
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Code function: 3_2_00007FFDC2A83040	3_2_00007FFDC2A83040
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Code function: 3_2_00007FFDC2A832B9	3_2_00007FFDC2A832B9

Source: IntelCpHeciSvc.exe, 00000000.00000002.609608819.0000000000190000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs IntelCpHeciSvc.exe
Source: IntelCpHeciSvc.exe, 00000001.00000002.610283998.0000000000B89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs IntelCpHeciSvc.exe
Source: IntelCpHeciSvc.exe, 00000001.00000002.615813689.0000000000D50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs IntelCpHeciSvc.exe
Source: IntelCpHeciSvc.exe, 00000001.00000002.629221700.000000001B800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs IntelCpHeciSvc.exe
Source: IntelCpHeciSvc.exe, 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs IntelCpHeciSvc.exe
Source: IntelCpHeciSvc.exe, 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs IntelCpHeciSvc.exe
Source: IntelCpHeciSvc.exe, 00000001.00000002.619633331.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs IntelCpHeciSvc.exe
Source: IntelCpHeciSvc.exe, 00000001.00000002.627685119.0000000012E1F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs IntelCpHeciSvc.exe

Source: unknown	Process created: C:\Users\user\Desktop\IntelCpHeciSvc.exe C:\Users\user\Desktop\IntelCpHeciSvc.exe
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe "C:\Users\user~1\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe"
Source: unknown	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~1\DHCPMO~1\dhcpmon.exe"
Source: C:\Windows\svchost.com	Process created: C:\Program Files\DHCP Monitor\dhcpmon.exe C:\PROGRA~1\DHCPMO~1\dhcpmon.exe
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe "C:\Users\user~1\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe"	Jump to behavior
Source: C:\Windows\svchost.com	Process created: C:\Program Files\DHCP Monitor\dhcpmon.exe C:\PROGRA~1\DHCPMO~1\dhcpmon.exe	Jump to behavior

Source: IntelCpHeciSvc.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.32%
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{7d265ee0-5eff-4ffb-9f35-947e4a7e76b0}
Source: C:\Windows\svchost.com	Mutant created: \Sessions\1\BaseNamedObjects\MutexPolesskayaGlush. svchost.com n X . t N t h ` T 5 @

Source: IntelCpHeciSvc.exe, type: SAMPLE	Matched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
Source: IntelCpHeciSvc.exe, type: SAMPLE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: IntelCpHeciSvc.exe, type: SAMPLE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: IntelCpHeciSvc.exe, type: SAMPLE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: IntelCpHeciSvc.exe, type: SAMPLE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: IntelCpHeciSvc.exe, type: SAMPLE	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: IntelCpHeciSvc.exe, type: SAMPLE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: IntelCpHeciSvc.exe, type: SAMPLE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.0.IntelCpHeciSvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
Source: 0.0.IntelCpHeciSvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
Source: 0.0.IntelCpHeciSvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: 3.2.dhcpmon.exe.134f6ddc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.dhcpmon.exe.134f6ddc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.dhcpmon.exe.134f6ddc.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.dhcpmon.exe.134f6ddc.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.IntelCpHeciSvc.exe.1bd64629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.IntelCpHeciSvc.exe.1bd64629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.IntelCpHeciSvc.exe.1bd64629.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.IntelCpHeciSvc.exe.1bd64629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.dhcpmon.exe.34cc9d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.dhcpmon.exe.34cc9d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.dhcpmon.exe.34cc9d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.dhcpmon.exe.34cc9d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.IntelCpHeciSvc.exe.1b800000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.IntelCpHeciSvc.exe.1b800000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.IntelCpHeciSvc.exe.1b800000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.IntelCpHeciSvc.exe.1b800000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: IntelCpHeciSvc.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: IntelCpHeciSvc.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: IntelCpHeciSvc.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: IntelCpHeciSvc.exe.0.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: IntelCpHeciSvc.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: IntelCpHeciSvc.exe.0.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: IntelCpHeciSvc.exe.0.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior

Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to dropped file

Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	File created: C:\Program Files\DHCP Monitor\dhcpmon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Google\Update\Install\{3560B2D0-8C42-4C08-AD8B-F3DF39FC149C}\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.132\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	File created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DHCP Monitor			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DHCP Monitor			Jump to behavior

Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe TID: 6956	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe TID: 6964	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe TID: 7148	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Windows Analysis Report IntelCpHeciSvc.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
IntelCpHeciSvc.exe

Malware Threat Intel
Provided by

Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catum.mum
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.mumum.mum
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum.mum
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.mum
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumum.mum
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.mum.mum
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.mum.mum
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat.mum
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.mum
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: IntelCpHeciSvc.exe, 00000001.00000003.547251042.000000001B84A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.mumum.mum
Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mwHyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum

Source: IntelCpHeciSvc.exe, 00000001.00000003.359611397.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.360168853.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.362405323.0000000000C67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager/user/AppData/Local/Temp/3582-490/en-US/SurveillanceExClientPlugin.resources.EXE
Source: IntelCpHeciSvc.exe, 00000001.00000003.443147694.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.396136976.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.360168853.0000000000C67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managersk\AppData\Local\Temp\3582-490\en\SurveillanceExClientPlugin.resources.DLL
Source: IntelCpHeciSvc.exe, 00000001.00000003.443147694.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.396136976.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.484908244.0000000000C65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managert.ddns.net
Source: IntelCpHeciSvc.exe, 00000001.00000003.482442583.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.482937315.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managert.ddns.netb
Source: IntelCpHeciSvc.exe, 00000001.00000003.443147694.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000002.619633331.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000002.619633331.0000000003122000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: IntelCpHeciSvc.exe, 00000001.00000003.443147694.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.396136976.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.484908244.0000000000C65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageruld be made because the target machine actively refused it.
Source: IntelCpHeciSvc.exe, 00000001.00000003.360168853.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.359470257.0000000000C66000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.363648013.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managersk\AppData\Local\Temp\3582-490\en\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.EXE
Source: IntelCpHeciSvc.exe, 00000001.00000003.360168853.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.360303205.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.360450418.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager/user/AppData/Local/Temp/3582-490/en/SurveillanceExClientPlugin.resources.EXE
Source: IntelCpHeciSvc.exe, 00000001.00000003.443147694.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.359470257.0000000000C66000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.363648013.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managersk\AppData\Local\Temp\3582-490\en-US\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.DLLb
Source: IntelCpHeciSvc.exe, 00000001.00000003.363648013.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager/user/AppData/Local/Temp/3582-490/en/SurveillanceExClientPlugin.resources.DLL8
Source: IntelCpHeciSvc.exe, 00000001.00000003.360168853.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.362405323.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.363648013.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager/user/AppData/Local/Temp/3582-490/en/SurveillanceExClientPlugin.resources/SurveillanceExClientPlugin.resources.DLL
Source: IntelCpHeciSvc.exe, 00000001.00000003.443147694.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.363648013.0000000000C66000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.482442583.0000000000C64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managert.ddns.net[
Source: IntelCpHeciSvc.exe, 00000001.00000003.443147694.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.363648013.0000000000C66000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.484908244.0000000000C65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managert.ddns.netz
Source: IntelCpHeciSvc.exe, 00000001.00000003.360450418.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerindow.0.app.0.378734a
Source: IntelCpHeciSvc.exe, 00000001.00000003.443147694.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.482442583.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.455171072.0000000000C65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managert.ddns.net8
Source: IntelCpHeciSvc.exe, 00000001.00000003.396136976.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.360168853.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.359470257.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager@w
Source: IntelCpHeciSvc.exe, 00000001.00000003.359611397.0000000000C67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managersk\AppData\Local\Temp\3582-490\en\SurveillanceEx
Source: IntelCpHeciSvc.exe, 00000001.00000003.396136976.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.360168853.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.359470257.0000000000C66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managersk\AppData\Local\Temp\3582-490\en\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.DLL

Source: IntelCpHeciSvc.exe, 00000000.00000003.477943862.0000000002184000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: IntelCpHeciSvc.exe, 00000000.00000003.477943862.0000000002184000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Source: IntelCpHeciSvc.exe, 00000000.00000003.341781141.0000000002184000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: IntelCpHeciSvc.exe, 00000001.00000002.629221700.000000001B800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: IntelCpHeciSvc.exe, 00000001.00000002.629221700.000000001B800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: IntelCpHeciSvc.exe, 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: IntelCpHeciSvc.exe, 00000001.00000000.342421463.00000000006C2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: IntelCpHeciSvc.exe, 00000001.00000002.619633331.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: IntelCpHeciSvc.exe, 00000001.00000002.619633331.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
googleusercontent.ddns.net	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

ID:	877850
Product:	CloudBasic
Start time:	05:01:56
Start date:	30.05.2023
Sample:	IntelCpHeciSvc.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	6b4a5a412e90721fba5170a25caefbd4
SHA1:	7796314ed7b9b9472b98d6efbb93164e44877c34
SHA256:	62271e4b8eeb27837dda10e85fb4b4a8f0c54b319ea06d28ffd56fab022d6f18
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.32%