Windows Analysis Report
java_update.exe

Overview

General Information

Sample name:	java_update.exe
Analysis ID:	1465837
MD5:	bc4206081a6f4206dc5b63948b05ef4b
SHA1:	4e48607de38ccb23ed81c1d19c8884fec2863ce9
SHA256:	b771a64bbfce8232710851ea13f5408cc28133ac0537ff1309c749ce85f42633
Infos:

Detection

AsyncRAT, Neshta, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

Yara detected Neshta

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Creates an undocumented autostart registry key

Drops PE files with a suspicious file extension

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Infects executable files (exe, dll, sys, html)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample is not signed and drops a device driver

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates driver files

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Classes Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
neshta	Neshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."	No Attribution	https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html https://www.mandiant.com/resources/pe-file-infecting-malware-ot https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest https://www.virusradar.com/en/Win32_Neshta.A/description	https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: java_update.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Delf.I

Found malware configuration

Source: 00000001.00000002.2964590079.0000000003351000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["45.141.26.232"], "Port": "6666", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	ReversingLabs: Detection: 93%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Virustotal: Detection: 83%	Perma Link
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	ReversingLabs: Detection: 100%

Multi AV Scanner detection for submitted file

Source: java_update.exe	ReversingLabs: Detection: 97%
Source: java_update.exe	Virustotal: Detection: 89%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: java_update.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1.0.java_update.exe.e60000.0.unpack	String decryptor: 45.141.26.232
Source: 1.0.java_update.exe.e60000.0.unpack	String decryptor: 6666
Source: 1.0.java_update.exe.e60000.0.unpack	String decryptor: <123456789>
Source: 1.0.java_update.exe.e60000.0.unpack	String decryptor: <Xwormmm>
Source: 1.0.java_update.exe.e60000.0.unpack	String decryptor: ddos
Source: 1.0.java_update.exe.e60000.0.unpack	String decryptor: USB.exe
Source: 1.0.java_update.exe.e60000.0.unpack	String decryptor: %ProgramData%
Source: 1.0.java_update.exe.e60000.0.unpack	String decryptor: Java Update Checker (64 bit).exe

Uses 32bit PE files

Source: java_update.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.2.dr
Source:	Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.2.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb source: ai.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SCANPST.EXE.2.dr
Source:	Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
Source:	Binary string: in32.pdb source: officeappguardwin32.exe.2.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.2.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
Source:	Binary string: r.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.2.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb/ source: ai.exe.2.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source:	Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb source: SETLANG.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb source: SCANPST.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SETLANG.EXE.2.dr

Spreading

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2234036394.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 6624, type: MEMORYSTR

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.141.26.232

Yara detected Generic Downloader

Source: Yara match	File source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 45.141.26.232:6666

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: integrator.exe.0.dr	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: Uninstall.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Uninstall.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: powershell.exe, 0000000B.00000002.2358182918.000000000889C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.me
Source: powershell.exe, 00000003.00000002.1900839755.0000000003371000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1923339892.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1935367351.00000000088FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000011.00000002.2361460775.0000000008962000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microK
Source: powershell.exe, 00000011.00000002.2361460775.000000000897D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2361460775.00000000089A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 0000000B.00000002.2358182918.000000000889C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft/
Source: powershell.exe, 0000000E.00000002.2356534559.00000000077F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftI
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Uninstall.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Uninstall.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: unpack200.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Uninstall.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Uninstall.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Uninstall.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: armsvc.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Uninstall.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: java_update.exe, Java Update Checker (64 bit).exe.1.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: svchost.com, 00000002.00000002.2231810961.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000003.00000002.1919244563.000000000637A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2324521202.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2334742070.00000000064D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Uninstall.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfR
Source: powershell.exe, 00000003.00000002.1910750935.0000000005466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2285866607.00000000053E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2287207179.00000000055C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: java_update.exe, 00000001.00000002.2964590079.0000000003351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1910750935.0000000005311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2285866607.0000000005291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2287207179.0000000005471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2292459669.00000000052B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1910750935.0000000005466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2285866607.00000000053E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2287207179.00000000055C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUser
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUserResponse
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUser
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUserResponse
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfig
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfigResponse
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettings
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettingsResponse
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettings
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingsResponse
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/R
Source: powershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/8
Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000003.00000002.1910750935.0000000005311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2285866607.0000000005291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2287207179.0000000005471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2292459669.00000000052B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBfq
Source: powershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: Uninstall.exe.2.dr	String found in binary or memory: https://mozilla.org0/
Source: integrator.exe.0.dr	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: powershell.exe, 00000003.00000002.1919244563.000000000637A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2324521202.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2334742070.00000000064D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: integrator.exe.0.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: Aut2exe.exe.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Uninstall.exe.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Aut2exe.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: java_update.exe, type: SAMPLE
Source: Yara match	File source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 1800, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED

Contains functionality to log keystrokes (.Net Source)

Source: java_update.exe.0.dr, XLogger.cs	.Net Code: KeyboardLayout
Source: Java Update Checker (64 bit).exe.1.dr, XLogger.cs	.Net Code: KeyboardLayout

Installs a raw input device (often for capturing keystrokes)

Source: integrator.exe.0.dr

Binary or memory string: RegisterRawInputDevices

memstr_f703ff8d-9

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: java_update.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Creates driver files

Source: C:\Windows\svchost.com

File created: C:\Windows\directx.sys

Jump to behavior

Creates files inside the system directory

Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Windows\svchost.com			Jump to behavior
Source: C:\Windows\svchost.com	File created: C:\Windows\directx.sys			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Code function: 1_2_00007FFD9B891771	1_2_00007FFD9B891771
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Code function: 1_2_00007FFD9B896662	1_2_00007FFD9B896662
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Code function: 1_2_00007FFD9B890610	1_2_00007FFD9B890610
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Code function: 1_2_00007FFD9B8958B6	1_2_00007FFD9B8958B6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_051DB490	3_2_051DB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_051DB470	3_2_051DB470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08D93E98	3_2_08D93E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050FB490	11_2_050FB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050FB470	11_2_050FB470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_08D33E98	11_2_08D33E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0521B4A0	14_2_0521B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0521B490	14_2_0521B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_08C13A98	14_2_08C13A98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_0521B490	17_2_0521B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_0521B470	17_2_0521B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_08E73E98	17_2_08E73E98

Sample file is different than original file name gathered from version info

Source: java_update.exe, 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamewdsa.exe4 vs java_update.exe
Source: java_update.exe, 00000001.00000002.2980468023.000000001C17E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs java_update.exe
Source: java_update.exe	Binary or memory string: OriginalFilenamewdsa.exe4 vs java_update.exe

Uses 32bit PE files

Source: java_update.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: java_update.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: java_update.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: java_update.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: java_update.exe.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Java Update Checker (64 bit).exe.1.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Java Update Checker (64 bit).exe.1.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Java Update Checker (64 bit).exe.1.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: java_update.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: java_update.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Java Update Checker (64 bit).exe.1.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Java Update Checker (64 bit).exe.1.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@23/183@1/2

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnk

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Mutant created: \Sessions\1\BaseNamedObjects\omb7mZjvAq0auoSy
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Windows\svchost.com	Mutant created: \Sessions\1\BaseNamedObjects\MutexPolesskayaGlush. svchost.com n X . t N t h ` T 5 @
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7920:120:WilError_03

Source: C:\Users\user\Desktop\java_update.exe

File created: C:\Users\user\AppData\Local\Temp\3582-490

Jump to behavior

Source: java_update.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.29%

Source: C:\Users\user\Desktop\java_update.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\java_update.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: integrator.exe.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: integrator.exe.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: java_update.exe	ReversingLabs: Detection: 97%
Source: java_update.exe	Virustotal: Detection: 89%

Source: C:\Users\user\Desktop\java_update.exe

File read: C:\Users\user\Desktop\java_update.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\java_update.exe "C:\Users\user\Desktop\java_update.exe"
Source: C:\Users\user\Desktop\java_update.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe "C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe"
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\java_update.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe "C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'	Jump to behavior
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'	Jump to behavior
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'

Source: C:\Users\user\Desktop\java_update.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\svchost.com	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\svchost.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\java_update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.2.dr
Source:	Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.2.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb source: ai.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SCANPST.EXE.2.dr
Source:	Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
Source:	Binary string: in32.pdb source: officeappguardwin32.exe.2.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.2.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
Source:	Binary string: r.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.2.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb/ source: ai.exe.2.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source:	Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb source: SETLANG.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb source: SCANPST.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SETLANG.EXE.2.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: java_update.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: java_update.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: java_update.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: Java Update Checker (64 bit).exe.1.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Java Update Checker (64 bit).exe.1.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Java Update Checker (64 bit).exe.1.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: java_update.exe.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: java_update.exe.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: java_update.exe.0.dr, Messages.cs	.Net Code: Memory
Source: Java Update Checker (64 bit).exe.1.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: Java Update Checker (64 bit).exe.1.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: Java Update Checker (64 bit).exe.1.dr, Messages.cs	.Net Code: Memory

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_051D504D pushfd ; ret	3_2_051D5062
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_051D5098 pushfd ; ret	3_2_051D5062
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_051D50B8 pushfd ; ret	3_2_051D5062
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_051D6348 push eax; ret	3_2_051D6351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_051D4277 push esi; ret	3_2_051D42E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_051D42A8 push esi; ret	3_2_051D42E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08D98BD8 push eax; ret	3_2_08D98BD3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050F2520 push esp; retf	11_2_050F252D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050F21ED push eax; retf	11_2_050F21F1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050F6338 push eax; ret	11_2_050F6341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050F4200 push ebx; ret	11_2_050F42DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050F2D95 pushfd ; retf	11_2_050F2DD2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050F2DCD pushfd ; retf	11_2_050F2DE2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050F3A9D push ebx; retf	11_2_050F3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050F3ADD push ebx; retf	11_2_050F3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_08D35281 push 95E8C88Bh; ret	11_2_08D35288
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_05212C70 push 04B807B9h; retf	14_2_05212D0E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_05210E85 push esi; ret	14_2_05210E9A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_08C17A04 push eax; iretd	14_2_08C17A0A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_08C187EE push eax; ret	14_2_08C187F3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_05216338 push eax; ret	17_2_05216341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_05214277 push ebx; ret	17_2_052142DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_05213ACD push ebx; retf	17_2_05213ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_07CA5785 push edi; retf 0007h	17_2_07CA5786
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_07CA569D push esi; retf 0007h	17_2_07CA569E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_07CA4E90 push eax; retf 0007h	17_2_07CA500E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_07CA0CE8 push cs; retf 0007h	17_2_07CA0E0E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_07CA0488 push es; retf 0007h	17_2_07CA06A6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_07CA528D push edx; retf 0007h	17_2_07CA528E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_07CA5001 push eax; retf 0007h	17_2_07CA500E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_08E77800 push eax; retf	17_2_08E77801

Persistence and Installation Behavior

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2234036394.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 6624, type: MEMORYSTR

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\java_update.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\java_update.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

Executable created and started: C:\Windows\svchost.com

Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Windows\svchost.com

File created: C:\Windows\directx.sys

Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File created: C:\ProgramData\Java Update Checker (64 bit).exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File created: C:\ProgramData\Java Update Checker (64 bit).exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\java_update.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: java_update.exe, type: SAMPLE
Source: Yara match	File source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 1800, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2234036394.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 6624, type: MEMORYSTR

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\java_update.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: java_update.exe, type: SAMPLE
Source: Yara match	File source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 1800, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: java_update.exe, 00000001.00000002.2964590079.0000000003351000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: java_update.exe, Java Update Checker (64 bit).exe.1.dr	Binary or memory string: SBIEDLL.DLLINFO

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Memory allocated: 15A0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Memory allocated: 1B350000 memory reserve \| memory write watch			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Window / User API: threadDelayed 3929	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Window / User API: threadDelayed 5609	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3236
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 669
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2371
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2352
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3905

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe TID: 8176	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4048	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8108	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7972	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8132	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8060	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8088	Thread sleep count: 3905 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8152	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8120	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior

Source: Java Update Checker (64 bit).exe.1.dr	Binary or memory string: vmware
Source: java_update.exe, 00000001.00000002.2980468023.000000001C120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

Code function: 1_2_00007FFD9B896E61 CheckRemoteDebuggerPresent,

1_2_00007FFD9B896E61

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

Process queried: DebugPort

Jump to behavior

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'	Jump to behavior
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'	Jump to behavior
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'

Bypasses PowerShell execution policy

Source: C:\Windows\svchost.com

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Source: C:\Users\user\Desktop\java_update.exe

File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

Jump to dropped file

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\java_update.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe "C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: java_update.exe, type: SAMPLE
Source: Yara match	File source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 1800, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED

AV process strings found (often used to terminate AV products)

Source: java_update.exe, 00000001.00000002.2980468023.000000001C1F8000.00000004.00000020.00020000.00000000.sdmp, java_update.exe, 00000001.00000002.2961382992.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, java_update.exe, 00000001.00000002.2980468023.000000001C1B1000.00000004.00000020.00020000.00000000.sdmp, java_update.exe, 00000001.00000002.2980468023.000000001C120000.00000004.00000020.00020000.00000000.sdmp, java_update.exe, 00000001.00000002.2980468023.000000001C17E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2234036394.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 6624, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: java_update.exe, type: SAMPLE
Source: Yara match	File source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2964590079.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 1800, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: java_update.exe, type: SAMPLE
Source: Yara match	File source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2964590079.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 1800, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
45.141.26.232	unknown	Netherlands		62068	SPECTRAIPSpectraIPBVNL	true

Contacted Domains

Name	IP	Active
ip-api.com	208.95.112.1	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown
45.141.26.232	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: java_update.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Delf.I

Found malware configuration

Source: 00000001.00000002.2964590079.0000000003351000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["45.141.26.232"], "Port": "6666", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	ReversingLabs: Detection: 93%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Virustotal: Detection: 83%	Perma Link
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	ReversingLabs: Detection: 100%

Multi AV Scanner detection for submitted file

Source: java_update.exe	ReversingLabs: Detection: 97%
Source: java_update.exe	Virustotal: Detection: 89%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: java_update.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1.0.java_update.exe.e60000.0.unpack	String decryptor: 45.141.26.232
Source: 1.0.java_update.exe.e60000.0.unpack	String decryptor: 6666
Source: 1.0.java_update.exe.e60000.0.unpack	String decryptor: <123456789>
Source: 1.0.java_update.exe.e60000.0.unpack	String decryptor: <Xwormmm>
Source: 1.0.java_update.exe.e60000.0.unpack	String decryptor: ddos
Source: 1.0.java_update.exe.e60000.0.unpack	String decryptor: USB.exe
Source: 1.0.java_update.exe.e60000.0.unpack	String decryptor: %ProgramData%
Source: 1.0.java_update.exe.e60000.0.unpack	String decryptor: Java Update Checker (64 bit).exe

Uses 32bit PE files

Source: java_update.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.2.dr
Source:	Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.2.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb source: ai.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SCANPST.EXE.2.dr
Source:	Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
Source:	Binary string: in32.pdb source: officeappguardwin32.exe.2.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.2.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
Source:	Binary string: r.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.2.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb/ source: ai.exe.2.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source:	Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb source: SETLANG.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb source: SCANPST.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SETLANG.EXE.2.dr

Spreading

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2234036394.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 6624, type: MEMORYSTR

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.141.26.232

Yara detected Generic Downloader

Source: Yara match	File source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 45.141.26.232:6666

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: integrator.exe.0.dr	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: Uninstall.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Uninstall.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: powershell.exe, 0000000B.00000002.2358182918.000000000889C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.me
Source: powershell.exe, 00000003.00000002.1900839755.0000000003371000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1923339892.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1935367351.00000000088FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000011.00000002.2361460775.0000000008962000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microK
Source: powershell.exe, 00000011.00000002.2361460775.000000000897D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2361460775.00000000089A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 0000000B.00000002.2358182918.000000000889C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft/
Source: powershell.exe, 0000000E.00000002.2356534559.00000000077F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftI
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Uninstall.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Uninstall.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: unpack200.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Uninstall.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Uninstall.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Uninstall.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: armsvc.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Uninstall.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: java_update.exe, Java Update Checker (64 bit).exe.1.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: svchost.com, 00000002.00000002.2231810961.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000003.00000002.1919244563.000000000637A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2324521202.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2334742070.00000000064D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Uninstall.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfR
Source: powershell.exe, 00000003.00000002.1910750935.0000000005466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2285866607.00000000053E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2287207179.00000000055C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: java_update.exe, 00000001.00000002.2964590079.0000000003351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1910750935.0000000005311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2285866607.0000000005291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2287207179.0000000005471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2292459669.00000000052B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1910750935.0000000005466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2285866607.00000000053E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2287207179.00000000055C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUser
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUserResponse
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUser
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUserResponse
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfig
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfigResponse
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettings
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettingsResponse
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettings
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingsResponse
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/R
Source: powershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/8
Source: Uninstall.exe.2.dr, armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr, unpack200.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000003.00000002.1910750935.0000000005311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2285866607.0000000005291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2287207179.0000000005471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2292459669.00000000052B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBfq
Source: powershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000011.00000002.2292459669.0000000005406000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr, pwahelper.exe.0.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: Uninstall.exe.2.dr	String found in binary or memory: https://mozilla.org0/
Source: integrator.exe.0.dr	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: powershell.exe, 00000003.00000002.1919244563.000000000637A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2324521202.00000000062F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2334742070.00000000064D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2331798038.0000000006318000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: integrator.exe.0.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: Aut2exe.exe.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Uninstall.exe.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Aut2exe.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: java_update.exe, type: SAMPLE
Source: Yara match	File source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 1800, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED

Contains functionality to log keystrokes (.Net Source)

Source: java_update.exe.0.dr, XLogger.cs	.Net Code: KeyboardLayout
Source: Java Update Checker (64 bit).exe.1.dr, XLogger.cs	.Net Code: KeyboardLayout

Installs a raw input device (often for capturing keystrokes)

Source: integrator.exe.0.dr

Binary or memory string: RegisterRawInputDevices

memstr_f703ff8d-9

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: java_update.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Creates driver files

Source: C:\Windows\svchost.com

File created: C:\Windows\directx.sys

Jump to behavior

Creates files inside the system directory

Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Windows\svchost.com			Jump to behavior
Source: C:\Windows\svchost.com	File created: C:\Windows\directx.sys			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Code function: 1_2_00007FFD9B891771	1_2_00007FFD9B891771
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Code function: 1_2_00007FFD9B896662	1_2_00007FFD9B896662
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Code function: 1_2_00007FFD9B890610	1_2_00007FFD9B890610
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Code function: 1_2_00007FFD9B8958B6	1_2_00007FFD9B8958B6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_051DB490	3_2_051DB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_051DB470	3_2_051DB470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08D93E98	3_2_08D93E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050FB490	11_2_050FB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050FB470	11_2_050FB470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_08D33E98	11_2_08D33E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0521B4A0	14_2_0521B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0521B490	14_2_0521B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_08C13A98	14_2_08C13A98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_0521B490	17_2_0521B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_0521B470	17_2_0521B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_08E73E98	17_2_08E73E98

Sample file is different than original file name gathered from version info

Source: java_update.exe, 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamewdsa.exe4 vs java_update.exe
Source: java_update.exe, 00000001.00000002.2980468023.000000001C17E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs java_update.exe
Source: java_update.exe	Binary or memory string: OriginalFilenamewdsa.exe4 vs java_update.exe

Uses 32bit PE files

Source: java_update.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: java_update.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: java_update.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: java_update.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: java_update.exe.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Java Update Checker (64 bit).exe.1.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Java Update Checker (64 bit).exe.1.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Java Update Checker (64 bit).exe.1.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: java_update.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: java_update.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Java Update Checker (64 bit).exe.1.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Java Update Checker (64 bit).exe.1.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@23/183@1/2

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnk

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Mutant created: \Sessions\1\BaseNamedObjects\omb7mZjvAq0auoSy
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Windows\svchost.com	Mutant created: \Sessions\1\BaseNamedObjects\MutexPolesskayaGlush. svchost.com n X . t N t h ` T 5 @
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7920:120:WilError_03

Source: C:\Users\user\Desktop\java_update.exe

File created: C:\Users\user\AppData\Local\Temp\3582-490

Jump to behavior

Source: java_update.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.29%

Source: C:\Users\user\Desktop\java_update.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\java_update.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: integrator.exe.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: integrator.exe.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: java_update.exe	ReversingLabs: Detection: 97%
Source: java_update.exe	Virustotal: Detection: 89%

Source: C:\Users\user\Desktop\java_update.exe

File read: C:\Users\user\Desktop\java_update.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\java_update.exe "C:\Users\user\Desktop\java_update.exe"
Source: C:\Users\user\Desktop\java_update.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe "C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe"
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\java_update.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe "C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'	Jump to behavior
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'	Jump to behavior
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'

Source: C:\Users\user\Desktop\java_update.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\svchost.com	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\svchost.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\java_update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.2.dr
Source:	Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.2.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb source: ai.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SCANPST.EXE.2.dr
Source:	Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
Source:	Binary string: in32.pdb source: officeappguardwin32.exe.2.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.2.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
Source:	Binary string: r.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.2.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb/ source: ai.exe.2.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source:	Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb source: SETLANG.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb source: SCANPST.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SETLANG.EXE.2.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: java_update.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: java_update.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: java_update.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: Java Update Checker (64 bit).exe.1.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Java Update Checker (64 bit).exe.1.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Java Update Checker (64 bit).exe.1.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: java_update.exe.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: java_update.exe.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: java_update.exe.0.dr, Messages.cs	.Net Code: Memory
Source: Java Update Checker (64 bit).exe.1.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: Java Update Checker (64 bit).exe.1.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: Java Update Checker (64 bit).exe.1.dr, Messages.cs	.Net Code: Memory

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_051D504D pushfd ; ret	3_2_051D5062
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_051D5098 pushfd ; ret	3_2_051D5062
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_051D50B8 pushfd ; ret	3_2_051D5062
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_051D6348 push eax; ret	3_2_051D6351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_051D4277 push esi; ret	3_2_051D42E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_051D42A8 push esi; ret	3_2_051D42E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08D98BD8 push eax; ret	3_2_08D98BD3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050F2520 push esp; retf	11_2_050F252D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050F21ED push eax; retf	11_2_050F21F1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050F6338 push eax; ret	11_2_050F6341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050F4200 push ebx; ret	11_2_050F42DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050F2D95 pushfd ; retf	11_2_050F2DD2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050F2DCD pushfd ; retf	11_2_050F2DE2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050F3A9D push ebx; retf	11_2_050F3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_050F3ADD push ebx; retf	11_2_050F3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_08D35281 push 95E8C88Bh; ret	11_2_08D35288
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_05212C70 push 04B807B9h; retf	14_2_05212D0E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_05210E85 push esi; ret	14_2_05210E9A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_08C17A04 push eax; iretd	14_2_08C17A0A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_08C187EE push eax; ret	14_2_08C187F3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_05216338 push eax; ret	17_2_05216341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_05214277 push ebx; ret	17_2_052142DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_05213ACD push ebx; retf	17_2_05213ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_07CA5785 push edi; retf 0007h	17_2_07CA5786
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_07CA569D push esi; retf 0007h	17_2_07CA569E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_07CA4E90 push eax; retf 0007h	17_2_07CA500E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_07CA0CE8 push cs; retf 0007h	17_2_07CA0E0E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_07CA0488 push es; retf 0007h	17_2_07CA06A6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_07CA528D push edx; retf 0007h	17_2_07CA528E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_07CA5001 push eax; retf 0007h	17_2_07CA500E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_08E77800 push eax; retf	17_2_08E77801

Persistence and Installation Behavior

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2234036394.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 6624, type: MEMORYSTR

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\java_update.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\java_update.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

Executable created and started: C:\Windows\svchost.com

Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Windows\svchost.com

File created: C:\Windows\directx.sys

Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File created: C:\ProgramData\Java Update Checker (64 bit).exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File created: C:\ProgramData\Java Update Checker (64 bit).exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\java_update.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: java_update.exe, type: SAMPLE
Source: Yara match	File source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 1800, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2234036394.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 6624, type: MEMORYSTR

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\java_update.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: java_update.exe, type: SAMPLE
Source: Yara match	File source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 1800, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: java_update.exe, 00000001.00000002.2964590079.0000000003351000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: java_update.exe, Java Update Checker (64 bit).exe.1.dr	Binary or memory string: SBIEDLL.DLLINFO

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Memory allocated: 15A0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Memory allocated: 1B350000 memory reserve \| memory write watch			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Window / User API: threadDelayed 3929	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Window / User API: threadDelayed 5609	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3236
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 669
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2371
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2352
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3905

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\java_update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe TID: 8176	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4048	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8108	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7972	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8132	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8060	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8088	Thread sleep count: 3905 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8152	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8120	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\java_update.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior

Source: Java Update Checker (64 bit).exe.1.dr	Binary or memory string: vmware
Source: java_update.exe, 00000001.00000002.2980468023.000000001C120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

Code function: 1_2_00007FFD9B896E61 CheckRemoteDebuggerPresent,

1_2_00007FFD9B896E61

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

Process queried: DebugPort

Jump to behavior

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'	Jump to behavior
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'	Jump to behavior
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'

Bypasses PowerShell execution policy

Source: C:\Windows\svchost.com

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Source: C:\Users\user\Desktop\java_update.exe

File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

Jump to dropped file

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\java_update.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe "C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: java_update.exe, type: SAMPLE
Source: Yara match	File source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 1800, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2234036394.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 6624, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: java_update.exe, type: SAMPLE
Source: Yara match	File source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2964590079.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 1800, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: java_update.exe, type: SAMPLE
Source: Yara match	File source: 1.0.java_update.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1716627555.0000000000E62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2964590079.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java_update.exe PID: 1800, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\Java Update Checker (64 bit).exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\java_update.exe, type: DROPPED

Windows Analysis Report
java_update.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1465837
Product:	CloudBasic
Start time:	06:50:16
Start date:	02.07.2024
Sample:	java_update.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	bc4206081a6f4206dc5b63948b05ef4b
SHA1:	4e48607de38ccb23ed81c1d19c8884fec2863ce9
SHA256:	b771a64bbfce8232710851ea13f5408cc28133ac0537ff1309c749ce85f42633
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.29%

Windows Analysis Report java_update.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
java_update.exe

Malware Threat Intel
Provided by