top title background image
flash

KFoTnHP6B2.exe

Status: finished
Submission Time: 2021-10-27 18:59:18 +02:00
Malicious
Spreader
Trojan
Evader
FormBook Neshta

Comments

Tags

  • exe

Details

  • Analysis ID:
    510391
  • API (Web) ID:
    877960
  • Analysis Started:
    2021-10-27 19:02:20 +02:00
  • Analysis Finished:
    2021-10-27 19:13:06 +02:00
  • MD5:
    df330ab2a2e5aa4ac947315ee3f93992
  • SHA1:
    76b5d1eee342b47fe58e2136a067712cbd210351
  • SHA256:
    99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
clean
0/100

Third Party Analysis Engines

malicious
Score: 22/67
malicious
Score: 15/44

URLs

Name Detection
http://nsis.sf.net/NSIS_Error
http://nsis.sf.net/NSIS_ErrorError
http://www.autoitscript.com/autoit3/

Dropped files

Name File Type Hashes Detection
C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
Click to see the 97 hidden entries
C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\misc.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\AutoIt3\Au3Info.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\AutoIt3\Au3Check.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\AutoIt3\Uninstall.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#