Edit tour

Windows Analysis Report
a.hta

Overview

General Information

Sample name:	a.hta
Analysis ID:	1546207
MD5:	9d17c4b02df4c09f0912771f0768ff44
SHA1:	97c2da4a8ab00dd13a08a202b6735a323711eadc
SHA256:	7ac2fc998131815c7796e3f6f308a5c194e8cb0f1ba7fb6cc04f167d0b867de8
Tags:	htauser-abuse_ch
Infos:

Detection

DarkComet, DarkTortilla, Neshta

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected DarkComet

Yara detected DarkTortilla Crypter

Yara detected Neshta

AI detected suspicious sample

Allocates memory in foreign processes

Creates an undocumented autostart registry key

Drops PE files with a suspicious file extension

Drops executable to a common third party application directory

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Infects executable files (exe, dll, sys, html)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Sigma detected: Legitimate Application Dropped Executable

Uses dynamic DNS services

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables driver privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Classes Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 6824 cmdline: mshta.exe "C:\Users\user\Desktop\a.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

update.exe (PID: 6168 cmdline: "C:\Users\user\AppData\Local\Temp\update.exe" MD5: 7D6CE4CA1A1E80C7160D97FF2E9A7E19)

update.exe (PID: 1540 cmdline: "C:\Users\user\AppData\Local\Temp\3582-490\update.exe" MD5: 4FDD1D23C2AF53C55B526BF5C4F81751)

CasPol.exe (PID: 3988 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkComet	DarkComet is one of the most famous RATs, developed by Jean-Pierre Lesueur in 2008. After being used in the Syrian civil war in 2011, Lesuer decided to stop developing the trojan. Indeed, DarkComet is able to enable control over a compromised system through use of a simple graphic user interface. Experts think that this user friendliness is the key of its mass success.	APT33 Lazarus Group Operation C-Major	http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html https://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/ https://asec.ahnlab.com/wp-content/uploads/2021/11/Lazarus-%EA%B7%B8%EB%A3%B9%EC%9D%98-NukeSped-%EC%95%85%EC%84%B1%EC%BD%94%EB%93%9C-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C.pdf https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/ https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Name	Description	Attribution	Blogpost URLs	Link
neshta	Neshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."	No Attribution	https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html https://www.mandiant.com/resources/pe-file-infecting-malware-ot https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest https://www.virusradar.com/en/Win32_Neshta.A/description	https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta

Malware Configuration

Threatname: DarkComet

{
  "MUTEX": "DCMIN_MUTEX-VJDLRRX",
  "SID": "Data",
  "NETDATA": [
    "datacenterclient.ddns.net:1604"
  ],
  "GENCODE": "C6pvdi01dB5X",
  "OFFLINEK": "1"
}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\svchost.com	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Windows\svchost.com	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Uninstall.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Uninstall.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Au3Check.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Au3Check.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Au3Info.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Au3Info.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Users\user\AppData\Local\Temp\update.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Users\user\AppData\Local\Temp\update.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
Click to see the 317 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2236803635.0000000007C80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000006.00000002.2680766218.00000000004B2000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000003.1535415846.0000000009B83000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
00000006.00000002.2682704519.000000000242A000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x9e8:$k2: #KCMDDC51#-890 0xa28:$k2: #KCMDDC51#-890 0xa48:$k2: #KCMDDC51#-890
00000006.00000002.2682704519.0000000002431000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0xf80:$b: #EOF DARKCOMET DATA --
00000006.00000002.2682704519.00000000023D8000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x138:$a: #BEGIN DARKCOMET DATA -- 0x2b8:$a: #BEGIN DARKCOMET DATA -- 0x1cb:$b: #EOF DARKCOMET DATA -- 0x34b:$b: #EOF DARKCOMET DATA --
00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x839bc:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x7e32d:$a2: is now open!\| 0x7dc88:$a3: ActiveOnlineKeylogger 0x7e38c:$a4: #BOT#RunPrompt 0x7d434:$a5: GETMONITORS
00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x7e4ac:$a1: #BOT#URLUpdate 0x7e3c5:$a2: Command successfully executed! 0x1408:$b1: FastMM Borland Edition 0x2bf4c:$b2: %s, ClassID: %s 0x72e28:$b3: I wasn't able to open the hosts file 0x7e2b0:$b4: #BOT#VisitUrl 0x6d1c0:$b5: #KCMDDC
00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x7e2c8:$bot1: #BOT#OpenUrl 0x7e344:$bot2: #BOT#Ping 0x7e38c:$bot3: #BOT#RunPrompt 0x7e44c:$bot4: #BOT#SvrUninstall 0x7e594:$bot5: #BOT#URLDownload 0x7e4ac:$bot6: #BOT#URLUpdate 0x7e2b0:$bot7: #BOT#VisitUrl 0x7e3f0:$bot8: #BOT#CloseServer 0x7e638:$ddos1: DDOSHTTPFLOOD 0x7e650:$ddos2: DDOSSYNFLOOD 0x7e668:$ddos3: DDOSUDPFLOOD 0x7dc88:$keylogger1: ActiveOnlineKeylogger 0x7dcaa:$keylogger1: ActiveOnlineKeylogger 0x7dca8:$keylogger2: UnActiveOnlineKeylogger 0x7dd04:$keylogger3: ActiveOfflineKeylogger 0x7dd26:$keylogger3: ActiveOfflineKeylogger 0x7dd24:$keylogger4: UnActiveOfflineKeylogger 0x7e930:$shell1: ACTIVEREMOTESHELL 0x7e95c:$shell2: SUBMREMOTESHELL 0x7e974:$shell3: KILLREMOTESHELL
00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x7e4ac:$a1: #BOT#URLUpdate 0x7e3c5:$a2: Command successfully executed! 0x1408:$b1: FastMM Borland Edition 0x2bf4c:$b2: %s, ClassID: %s 0x72e28:$b3: I wasn't able to open the hosts file 0x7e2b0:$b4: #BOT#VisitUrl 0x6d1c0:$b5: #KCMDDC
00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	DarkComet_4	unknown	unknown	0x7e2b0:$a1: #BOT# 0x7e2c8:$a1: #BOT# 0x7e344:$a1: #BOT# 0x7e38c:$a1: #BOT# 0x7e3f0:$a1: #BOT# 0x7e44c:$a1: #BOT# 0x7e4ac:$a1: #BOT# 0x7e594:$a1: #BOT# 0x7e9cc:$a2: WEBCAMSTOP 0x7dd68:$a3: UnActiveOnlineKeyStrokes 0x7e218:$a4: #SendTaskMgr 0x7e6bc:$a5: #RemoteScreenSize 0x7d510:$a6: ping 127.0.0.1 -n 4 > NUL &&
00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_DarkComet	Detects DarkComet	ditekSHen	0x2bf4c:$s1: %s, ClassID: %s 0x2c218:$s2: %s, ProgID: "%s" 0x6d1c0:$s3: #KCMDDC51# 0x7e2b0:$s4: #BOT#VisitUrl 0x7e2c8:$s5: #BOT#OpenUrl 0x7e344:$s6: #BOT#Ping 0x7e38c:$s7: #BOT#RunPrompt 0x7e3f0:$s8: #BOT#CloseServer 0x7e44c:$s9: #BOT#SvrUninstall 0x7e4ac:$s10: #BOT#URLUpdate 0x7e594:$s11: #BOT#URLDownload 0x7e310:$s12: BTRESULTOpen 0x7e358:$s12: BTRESULTPing\|Respond 0x7e3a4:$s12: BTRESULTRun 0x7e40c:$s12: BTRESULTClose 0x7e468:$s12: BTRESULTUninstall\|uninstall 0x7e534:$s12: BTRESULTUpdate 0x82484:$s12: BTRESULTUDP 0x82928:$s12: BTRESULTSyn 0x83654:$s12: BTRESULTVisit 0x839bc:$s12: BTRESULTHTTP
00000002.00000002.1838576344.0000000000409000.00000004.00000001.01000000.0000000B.sdmp	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
00000003.00000002.2223742390.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: update.exe PID: 6168	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
Process Memory Space: update.exe PID: 1540	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: update.exe PID: 1540	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: CasPol.exe PID: 3988	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: CasPol.exe PID: 3988	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
Process Memory Space: CasPol.exe PID: 3988	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0xa348:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x96da:$a2: is now open!\| 0x9283:$a3: ActiveOnlineKeylogger 0x9752:$a4: #BOT#RunPrompt 0x8e21:$a5: GETMONITORS
Process Memory Space: CasPol.exe PID: 3988	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x98c0:$a1: #BOT#URLUpdate 0x9777:$a2: Command successfully executed! 0x9799:$a2: Command successfully executed! 0x171:$b1: FastMM Borland Edition 0x18a:$b1: FastMM Borland Edition 0x2718:$b2: %s, ClassID: %s 0x2728:$b2: %s, ClassID: %s 0x84ff:$b3: I wasn't able to open the hosts file 0x8557:$b3: I wasn't able to open the hosts file 0x969b:$b4: #BOT#VisitUrl 0x7b65:$b5: #KCMDDC 0x13f1e:$b5: #KCMDDC 0x13f2d:$b5: #KCMDDC 0x13f5f:$b5: #KCMDDC
Process Memory Space: CasPol.exe PID: 3988	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x96aa:$bot1: #BOT#OpenUrl 0x96e8:$bot2: #BOT#Ping 0x96f3:$bot2: #BOT#Ping 0x9752:$bot3: #BOT#RunPrompt 0x983b:$bot4: #BOT#SvrUninstall 0x9a2b:$bot5: #BOT#URLDownload 0x98c0:$bot6: #BOT#URLUpdate 0x969b:$bot7: #BOT#VisitUrl 0x97b9:$bot8: #BOT#CloseServer 0x9a80:$ddos1: DDOSHTTPFLOOD 0x9a8f:$ddos2: DDOSSYNFLOOD 0x9a9c:$ddos3: DDOSUDPFLOOD 0x9283:$keylogger1: ActiveOnlineKeylogger 0x929b:$keylogger1: ActiveOnlineKeylogger 0x9299:$keylogger2: UnActiveOnlineKeylogger 0x92d1:$keylogger3: ActiveOfflineKeylogger 0x92ea:$keylogger3: ActiveOfflineKeylogger 0x92e8:$keylogger4: UnActiveOfflineKeylogger 0x9c2e:$shell1: ACTIVEREMOTESHELL 0x9c47:$shell2: SUBMREMOTESHELL 0x9c57:$shell3: KILLREMOTESHELL
Process Memory Space: CasPol.exe PID: 3988	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x146da:$a: #BEGIN DARKCOMET DATA -- 0x142ee:$b: #EOF DARKCOMET DATA -- 0x1476d:$b: #EOF DARKCOMET DATA -- 0x1478a:$b: #EOF DARKCOMET DATA -- 0x13f1e:$k2: #KCMDDC51#-890 0x13f2d:$k2: #KCMDDC51#-890 0x13f5f:$k2: #KCMDDC51#-890
Process Memory Space: CasPol.exe PID: 3988	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x98c0:$a1: #BOT#URLUpdate 0x9777:$a2: Command successfully executed! 0x9799:$a2: Command successfully executed! 0x171:$b1: FastMM Borland Edition 0x18a:$b1: FastMM Borland Edition 0x2718:$b2: %s, ClassID: %s 0x2728:$b2: %s, ClassID: %s 0x84ff:$b3: I wasn't able to open the hosts file 0x8557:$b3: I wasn't able to open the hosts file 0x969b:$b4: #BOT#VisitUrl 0x7b65:$b5: #KCMDDC 0x13f1e:$b5: #KCMDDC 0x13f2d:$b5: #KCMDDC 0x13f5f:$b5: #KCMDDC
Process Memory Space: CasPol.exe PID: 3988	DarkComet_4	unknown	unknown	0x969b:$a1: #BOT# 0x96aa:$a1: #BOT# 0x96e8:$a1: #BOT# 0x96f3:$a1: #BOT# 0x9752:$a1: #BOT# 0x97b9:$a1: #BOT# 0x983b:$a1: #BOT# 0x98c0:$a1: #BOT# 0x9a2b:$a1: #BOT# 0x9c8e:$a2: WEBCAMSTOP 0x9318:$a3: UnActiveOnlineKeyStrokes 0x9632:$a4: #SendTaskMgr 0x9647:$a4: #SendTaskMgr 0x9acc:$a5: #RemoteScreenSize 0x8e8c:$a6: ping 127.0.0.1 -n 4 > NUL &&
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.0.update.exe.400000.0.unpack	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
2.0.update.exe.400000.0.unpack	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
3.2.update.exe.7c80000.0.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
3.2.update.exe.7c80000.0.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
6.2.CasPol.exe.400000.0.raw.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
6.2.CasPol.exe.400000.0.raw.unpack	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
6.2.CasPol.exe.400000.0.raw.unpack	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x839bc:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x7e32d:$a2: is now open!\| 0x7dc88:$a3: ActiveOnlineKeylogger 0x7e38c:$a4: #BOT#RunPrompt 0x7d434:$a5: GETMONITORS
6.2.CasPol.exe.400000.0.raw.unpack	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x7e4ac:$a1: #BOT#URLUpdate 0x7e3c5:$a2: Command successfully executed! 0x1408:$b1: FastMM Borland Edition 0x2bf4c:$b2: %s, ClassID: %s 0x72e28:$b3: I wasn't able to open the hosts file 0x7e2b0:$b4: #BOT#VisitUrl 0x6d1c0:$b5: #KCMDDC
6.2.CasPol.exe.400000.0.raw.unpack	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x7e2c8:$bot1: #BOT#OpenUrl 0x7e344:$bot2: #BOT#Ping 0x7e38c:$bot3: #BOT#RunPrompt 0x7e44c:$bot4: #BOT#SvrUninstall 0x7e594:$bot5: #BOT#URLDownload 0x7e4ac:$bot6: #BOT#URLUpdate 0x7e2b0:$bot7: #BOT#VisitUrl 0x7e3f0:$bot8: #BOT#CloseServer 0x7e638:$ddos1: DDOSHTTPFLOOD 0x7e650:$ddos2: DDOSSYNFLOOD 0x7e668:$ddos3: DDOSUDPFLOOD 0x7dc88:$keylogger1: ActiveOnlineKeylogger 0x7dcaa:$keylogger1: ActiveOnlineKeylogger 0x7dca8:$keylogger2: UnActiveOnlineKeylogger 0x7dd04:$keylogger3: ActiveOfflineKeylogger 0x7dd26:$keylogger3: ActiveOfflineKeylogger 0x7dd24:$keylogger4: UnActiveOfflineKeylogger 0x7e930:$shell1: ACTIVEREMOTESHELL 0x7e95c:$shell2: SUBMREMOTESHELL 0x7e974:$shell3: KILLREMOTESHELL
6.2.CasPol.exe.400000.0.raw.unpack	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x7e4ac:$a1: #BOT#URLUpdate 0x7e3c5:$a2: Command successfully executed! 0x1408:$b1: FastMM Borland Edition 0x2bf4c:$b2: %s, ClassID: %s 0x72e28:$b3: I wasn't able to open the hosts file 0x7e2b0:$b4: #BOT#VisitUrl 0x6d1c0:$b5: #KCMDDC
6.2.CasPol.exe.400000.0.raw.unpack	DarkComet_4	unknown	unknown	0x7e2b0:$a1: #BOT# 0x7e2c8:$a1: #BOT# 0x7e344:$a1: #BOT# 0x7e38c:$a1: #BOT# 0x7e3f0:$a1: #BOT# 0x7e44c:$a1: #BOT# 0x7e4ac:$a1: #BOT# 0x7e594:$a1: #BOT# 0x7e9cc:$a2: WEBCAMSTOP 0x7dd68:$a3: UnActiveOnlineKeyStrokes 0x7e218:$a4: #SendTaskMgr 0x7e6bc:$a5: #RemoteScreenSize 0x7d510:$a6: ping 127.0.0.1 -n 4 > NUL &&
6.2.CasPol.exe.400000.0.raw.unpack	MALWARE_Win_DarkComet	Detects DarkComet	ditekSHen	0x2bf4c:$s1: %s, ClassID: %s 0x2c218:$s2: %s, ProgID: "%s" 0x6d1c0:$s3: #KCMDDC51# 0x7e2b0:$s4: #BOT#VisitUrl 0x7e2c8:$s5: #BOT#OpenUrl 0x7e344:$s6: #BOT#Ping 0x7e38c:$s7: #BOT#RunPrompt 0x7e3f0:$s8: #BOT#CloseServer 0x7e44c:$s9: #BOT#SvrUninstall 0x7e4ac:$s10: #BOT#URLUpdate 0x7e594:$s11: #BOT#URLDownload 0x7e310:$s12: BTRESULTOpen 0x7e358:$s12: BTRESULTPing\|Respond 0x7e3a4:$s12: BTRESULTRun 0x7e40c:$s12: BTRESULTClose 0x7e468:$s12: BTRESULTUninstall\|uninstall 0x7e534:$s12: BTRESULTUpdate 0x82484:$s12: BTRESULTUDP 0x82928:$s12: BTRESULTSyn 0x83654:$s12: BTRESULTVisit 0x839bc:$s12: BTRESULTHTTP
6.2.CasPol.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.CasPol.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
6.2.CasPol.exe.400000.0.unpack	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
6.2.CasPol.exe.400000.0.unpack	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x839bc:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x7e32d:$a2: is now open!\| 0x7dc88:$a3: ActiveOnlineKeylogger 0x7e38c:$a4: #BOT#RunPrompt 0x7d434:$a5: GETMONITORS
6.2.CasPol.exe.400000.0.unpack	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x7e4ac:$a1: #BOT#URLUpdate 0x7e3c5:$a2: Command successfully executed! 0x1408:$b1: FastMM Borland Edition 0x2bf4c:$b2: %s, ClassID: %s 0x72e28:$b3: I wasn't able to open the hosts file 0x7e2b0:$b4: #BOT#VisitUrl 0x6d1c0:$b5: #KCMDDC
6.2.CasPol.exe.400000.0.unpack	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x7e2c8:$bot1: #BOT#OpenUrl 0x7e344:$bot2: #BOT#Ping 0x7e38c:$bot3: #BOT#RunPrompt 0x7e44c:$bot4: #BOT#SvrUninstall 0x7e594:$bot5: #BOT#URLDownload 0x7e4ac:$bot6: #BOT#URLUpdate 0x7e2b0:$bot7: #BOT#VisitUrl 0x7e3f0:$bot8: #BOT#CloseServer 0x7e638:$ddos1: DDOSHTTPFLOOD 0x7e650:$ddos2: DDOSSYNFLOOD 0x7e668:$ddos3: DDOSUDPFLOOD 0x7dc88:$keylogger1: ActiveOnlineKeylogger 0x7dcaa:$keylogger1: ActiveOnlineKeylogger 0x7dca8:$keylogger2: UnActiveOnlineKeylogger 0x7dd04:$keylogger3: ActiveOfflineKeylogger 0x7dd26:$keylogger3: ActiveOfflineKeylogger 0x7dd24:$keylogger4: UnActiveOfflineKeylogger 0x7e930:$shell1: ACTIVEREMOTESHELL 0x7e95c:$shell2: SUBMREMOTESHELL 0x7e974:$shell3: KILLREMOTESHELL
6.2.CasPol.exe.400000.0.unpack	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x7e4ac:$a1: #BOT#URLUpdate 0x7e3c5:$a2: Command successfully executed! 0x1408:$b1: FastMM Borland Edition 0x2bf4c:$b2: %s, ClassID: %s 0x72e28:$b3: I wasn't able to open the hosts file 0x7e2b0:$b4: #BOT#VisitUrl 0x6d1c0:$b5: #KCMDDC
6.2.CasPol.exe.400000.0.unpack	DarkComet_4	unknown	unknown	0x7e2b0:$a1: #BOT# 0x7e2c8:$a1: #BOT# 0x7e344:$a1: #BOT# 0x7e38c:$a1: #BOT# 0x7e3f0:$a1: #BOT# 0x7e44c:$a1: #BOT# 0x7e4ac:$a1: #BOT# 0x7e594:$a1: #BOT# 0x7e9cc:$a2: WEBCAMSTOP 0x7dd68:$a3: UnActiveOnlineKeyStrokes 0x7e218:$a4: #SendTaskMgr 0x7e6bc:$a5: #RemoteScreenSize 0x7d510:$a6: ping 127.0.0.1 -n 4 > NUL &&
6.2.CasPol.exe.400000.0.unpack	MALWARE_Win_DarkComet	Detects DarkComet	ditekSHen	0x2bf4c:$s1: %s, ClassID: %s 0x2c218:$s2: %s, ProgID: "%s" 0x6d1c0:$s3: #KCMDDC51# 0x7e2b0:$s4: #BOT#VisitUrl 0x7e2c8:$s5: #BOT#OpenUrl 0x7e344:$s6: #BOT#Ping 0x7e38c:$s7: #BOT#RunPrompt 0x7e3f0:$s8: #BOT#CloseServer 0x7e44c:$s9: #BOT#SvrUninstall 0x7e4ac:$s10: #BOT#URLUpdate 0x7e594:$s11: #BOT#URLDownload 0x7e310:$s12: BTRESULTOpen 0x7e358:$s12: BTRESULTPing\|Respond 0x7e3a4:$s12: BTRESULTRun 0x7e40c:$s12: BTRESULTClose 0x7e468:$s12: BTRESULTUninstall\|uninstall 0x7e534:$s12: BTRESULTUpdate 0x82484:$s12: BTRESULTUDP 0x82928:$s12: BTRESULTSyn 0x83654:$s12: BTRESULTVisit 0x839bc:$s12: BTRESULTHTTP
Click to see the 16 entries

Sigma Signatures

System Summary

Sigma detected: Legitimate Application Dropped Executable

Source: File created

Author: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\mshta.exe, ProcessId: 6824, TargetFilename: C:\Users\user\AppData\Local\Temp\update.exe

Sigma detected: Classes Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\svchost.com "%1" %*, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\update.exe, ProcessId: 6168, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T16:22:25.244230+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.8	49711	TCP
2024-10-31T16:23:04.513889+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.8	49716	TCP

ET EXPLOIT_KIT WinHttpRequest Downloading EXE Non-Port 80 (Likely Exploit Kit)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T16:22:10.095923+0100	2019823	1	Exploit Kit Activity Detected	161.97.130.110	443	192.168.2.8	49705	TCP

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T16:22:09.158883+0100	2028371	3	Unknown Traffic	192.168.2.8	49705	161.97.130.110	443	TCP

ETPRO MALWARE Backdoor.Win32.DarkKomet Keep-Alive

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T16:23:32.073377+0100	2809530	1	A Network Trojan was detected	192.168.2.8	49783	5.252.53.95	1604	TCP

ETPRO MALWARE DarkComet-RAT activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T16:23:25.777509+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49736	5.252.53.95	1604	TCP
2024-10-31T16:23:26.995388+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49748	5.252.53.95	1604	TCP
2024-10-31T16:23:28.214018+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49755	5.252.53.95	1604	TCP
2024-10-31T16:23:30.854586+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49774	5.252.53.95	1604	TCP
2024-10-31T16:23:32.073377+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49783	5.252.53.95	1604	TCP
2024-10-31T16:23:33.995354+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49797	5.252.53.95	1604	TCP
2024-10-31T16:23:36.885907+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49816	5.252.53.95	1604	TCP
2024-10-31T16:23:39.526542+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49834	5.252.53.95	1604	TCP
2024-10-31T16:23:40.745264+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49842	5.252.53.95	1604	TCP
2024-10-31T16:23:43.401829+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49859	5.252.53.95	1604	TCP
2024-10-31T16:23:44.621320+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49866	5.252.53.95	1604	TCP
2024-10-31T16:23:48.075168+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49885	5.252.53.95	1604	TCP
2024-10-31T16:23:50.026494+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49898	5.252.53.95	1604	TCP
2024-10-31T16:23:51.245191+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49904	5.252.53.95	1604	TCP
2024-10-31T16:23:53.182860+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49916	5.252.53.95	1604	TCP
2024-10-31T16:23:56.885911+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49936	5.252.53.95	1604	TCP
2024-10-31T16:23:58.104836+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49942	5.252.53.95	1604	TCP
2024-10-31T16:23:59.323738+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49949	5.252.53.95	1604	TCP
2024-10-31T16:24:01.245450+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49960	5.252.53.95	1604	TCP
2024-10-31T16:24:03.948426+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49979	5.252.53.95	1604	TCP
2024-10-31T16:24:06.948463+0100	2807821	1	A Network Trojan was detected	192.168.2.8	49999	5.252.53.95	1604	TCP
2024-10-31T16:24:09.245396+0100	2807821	1	A Network Trojan was detected	192.168.2.8	50016	5.252.53.95	1604	TCP

Joe Sandbox Signatures

• AV Detection
• Compliance
• Spreading
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Neshta.A
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Neshta.A

Found malware configuration

Source: 00000006.00000002.2682704519.00000000023D8000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: DarkComet {"MUTEX": "DCMIN_MUTEX-VJDLRRX", "SID": "Data", "NETDATA": ["datacenterclient.ddns.net:1604"], "GENCODE": "C6pvdi01dB5X", "OFFLINEK": "1"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	ReversingLabs: Detection: 94%
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	ReversingLabs: Detection: 100%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 161.97.130.110:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 161.97.130.110:443 -> 192.168.2.8:49705 version: TLS 1.2

Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\iecontentservice.pdbb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: IEContentService.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.2.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.2.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdb source: msedge_proxy.exe.2.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.2.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdb source: MicrosoftEdgeComRegisterShellARM64.exe.2.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdbOGP source: msedge.exe.2.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdbOGP source: msedge_proxy.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb source: OLicenseHeartbeat.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\msohtmed.pdb source: MSOHTMED.EXE.2.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdb source: msedge.exe.2.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x64\ship\postc2rcross\x-none\msoxmled.pdb source: MSOXMLED.EXE.2.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.2.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.2.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.2.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb source: OcPubMgr.exe.2.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.2.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoadfsb.pdbdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoadfsb.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb source: SETLANG.EXE.2.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x64\ship\postc2rcross\x-none\msoxmled.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSOXMLED.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SETLANG.EXE.2.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdbh source: MicrosoftEdgeComRegisterShellARM64.exe.2.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.2.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb+ source: ai.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OLicenseHeartbeat.exe.2.dr
Source:	Binary string: MpCopyAccelerator.pdbGCTL source: MpCopyAccelerator.exe0.2.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\iecontentservice.pdb source: IEContentService.exe.2.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb source: ai.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OcPubMgr.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SCANPST.EXE.2.dr
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe_x64.pdb source: Aut2exe_x64.exe.2.dr
Source:	Binary string: in32.pdb source: officeappguardwin32.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.2.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\msohtmed.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSOHTMED.EXE.2.dr
Source:	Binary string: MpCopyAccelerator.pdb source: MpCopyAccelerator.exe0.2.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb source: SCANPST.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoadfsb.pdb source: msoadfsb.exe.2.dr

Spreading

Yara detected Neshta

Source: Yara match	File source: 2.0.update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1535415846.0000000009B83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1838576344.0000000000409000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: update.exe PID: 6168, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\update.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\update.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\ie\
Source: C:\Users\user\AppData\Local\Temp\update.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\
Source: C:\Users\user\AppData\Local\Temp\update.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\
Source: C:\Users\user\AppData\Local\Temp\update.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\
Source: C:\Users\user\AppData\Local\Temp\update.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\
Source: C:\Users\user\AppData\Local\Temp\update.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\regular\

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49736 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49748 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49755 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49783 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2809530 - Severity 1 - ETPRO MALWARE Backdoor.Win32.DarkKomet Keep-Alive : 192.168.2.8:49783 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49797 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49774 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49834 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49842 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49859 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49866 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49885 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49904 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49816 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49898 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49916 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49936 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49942 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49949 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49960 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49999 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:50016 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2807821 - Severity 1 - ETPRO MALWARE DarkComet-RAT activity : 192.168.2.8:49979 -> 5.252.53.95:1604
Source: Network traffic	Suricata IDS: 2019823 - Severity 1 - ET EXPLOIT_KIT WinHttpRequest Downloading EXE Non-Port 80 (Likely Exploit Kit) : 161.97.130.110:443 -> 192.168.2.8:49705

Uses dynamic DNS services

Source: unknown

DNS query: name: datacenterclient.ddns.net

Source: global traffic

TCP traffic: 192.168.2.8:49723 -> 5.252.53.95:1604

Source: Joe Sandbox View	ASN Name: CONTABODE CONTABODE
Source: Joe Sandbox View	ASN Name: AS-WAVE-1US AS-WAVE-1US

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49705 -> 161.97.130.110:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.8:49711
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.8:49716

Source: global traffic	HTTP traffic detected: GET /datasing.exe HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: newshostingsupdate.com
Source: global traffic	HTTP traffic detected: GET /features/favicon.ico HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.hyperwrite.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /datasing.exe HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: newshostingsupdate.com
Source: global traffic	HTTP traffic detected: GET /features/favicon.ico HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.hyperwrite.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.hyperwrite.com
Source: global traffic	DNS traffic detected: DNS query: newshostingsupdate.com
Source: global traffic	DNS traffic detected: DNS query: datacenterclient.ddns.net

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1635Content-Type: text/htmlServer: Microsoft-IIS/6.0MicrosoftOfficeWebServer: 5.0_PubX-Powered-By: ASP.NETDate: Thu, 31 Oct 2024 15:22:07 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 54 68 65 20 70 61 67 65 20 63 61 6e 6e 6f 74 20 62 65 20 66 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 57 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0d 0a 3c 53 54 59 4c 45 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 42 4f 44 59 20 7b 20 66 6f 6e 74 3a 20 38 70 74 2f 31 32 70 74 20 76 65 72 64 61 6e 61 20 7d 0d 0a 20 20 48 31 20 7b 20 66 6f 6e 74 3a 20 31 33 70 74 2f 31 35 70 74 20 76 65 72 64 61 6e 61 20 7d 0d 0a 20 20 48 32 20 7b 20 66 6f 6e 74 3a 20 38 70 74 2f 31 32 70 74 20 76 65 72 64 61 6e 61 20 7d 0d 0a 20 20 41 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 72 65 64 20 7d 0d 0a 20 20 41 3a 76 69 73 69 74 65 64 20 7b 20 63 6f 6c 6f 72 3a 20 6d 61 72 6f 6f 6e 20 7d 0d 0a 3c 2f 53 54 59 4c 45 3e 0d 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 3c 54 41 42 4c 45 20 77 69 64 74 68 3d 35 30 30 20 62 6f 72 64 65 72 3d 30 20 63 65 6c 6c 73 70 61 63 69 6e 67 3d 31 30 3e 3c 54 52 3e 3c 54 44 3e 0d 0a 0d 0a 3c 68 31 3e 54 68 65 20 70 61 67 65 20 63 61 6e 6e 6f 74 20 62 65 20 66 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 2c 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 0d 0a 3c 68 72 3e 0d 0a 3c 70 3e 50 6c 65 61 73 65 20 74 72 79 20 74 68 65 20 66 6f 6c 6c 6f 77 69 6e 67 3a 3c 2f 70 3e 0d 0a 3c 75 6c 3e 0d 0a 3c 6c 69 3e 4d 61 6b 65 20 73 75 72 65 20 74 68 61 74 20 74 68 65 20 57 65 62 20 73 69 74 65 20 61 64 64 72 65 73 73 20 64 69 73 70 6c 61 79 65 64 20 69 6e 20 74 68 65 20 61 64 64 72 65 73 73 20 62 61 72 20 6f 66 20 79 6f 75 72 20 62 72 6f 77 73 65 72 20 69 73 20 73 70 65 6c 6c 65 64 20 61 6e 64 20 66 6f 72 6d 61 74 74 65 64 20 63 6f 72 72 65 63 74 6c 79 2e 3c 2f 6c 69 3e 0d 0a 3c 6c 69 3e 49 66 20 79 6f 75 20 72 65 61 63 68 65 64 20 74 68 69 73 20 70 61 67 65 20 62 79 20 63 6c 69 63 6b 69 6e 67 20 61 20 6c 69 6e 6b 2c 20 63 6f 6e 74 61 63 74 0d 0a 20 74 68 65 20 57 65 62 20 73 69 74 65 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 74 6f 20 61 6c 65 72 74 20 74 68 65 6d 20 74 68 61 74 20 74 68 65 20 6c 69 6e 6b 20 69 73 20 69 6e 63 6f 72 72 65 63 74 6c 79 20 66 6f 72 6d 61 74 74 6

Source: integrator.exe.2.dr	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: OLicenseHeartbeat.exe.2.dr	String found in binary or memory: http://CodeTypeIsExpectedOffice.System.ResultGlobal
Source: msoadfsb.exe.2.dr	String found in binary or memory: http://aka.ms/sdxdebug
Source: mshta.exe, 00000000.00000003.1534512710.0000000009FB9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1543722230.000000000358C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1534165574.0000000009FBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1535695350.0000000009CA7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546611172.000000000358C000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000002.00000003.1540422783.000000000209D000.00000004.00001000.00020000.00000000.sdmp, java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: mshta.exe, 00000000.00000003.1534512710.0000000009FB9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1534165574.0000000009FBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1535695350.0000000009CA7000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000002.00000003.1540422783.000000000209D000.00000004.00001000.00020000.00000000.sdmp, java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: mshta.exe, 00000000.00000003.1534512710.0000000009FB9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1534165574.0000000009FBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1535695350.0000000009CA7000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000002.00000003.1540422783.000000000209D000.00000004.00001000.00020000.00000000.sdmp, java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Aut2exe_x64.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Aut2exe_x64.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Aut2exe_x64.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Aut2exe_x64.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Aut2exe_x64.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: mshta.exe, 00000000.00000003.1534512710.0000000009FB9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1543722230.000000000358C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1534165574.0000000009FBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1535695350.0000000009CA7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546611172.000000000358C000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000002.00000003.1540422783.000000000209D000.00000004.00001000.00020000.00000000.sdmp, java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: mshta.exe, 00000000.00000003.1534512710.0000000009FB9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1534165574.0000000009FBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1535695350.0000000009CA7000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000002.00000003.1540422783.000000000209D000.00000004.00001000.00020000.00000000.sdmp, java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: jaureg.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: java.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AdobeARMHelper.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: jucheck.exe.2.dr, jusched.exe.2.dr	String found in binary or memory: http://es5.github.io/#x15.4.4.21
Source: MSOHTMED.EXE.2.dr	String found in binary or memory: http://https://ftp://.htmlGot
Source: jucheck.exe.2.dr	String found in binary or memory: http://java.sun.com
Source: jucheck.exe.2.dr	String found in binary or memory: http://java.sun.comnot
Source: Uninstall.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: mshta.exe, 00000000.00000003.1534512710.0000000009FB9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1534165574.0000000009FBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1535695350.0000000009CA7000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000002.00000003.1540422783.000000000209D000.00000004.00001000.00020000.00000000.sdmp, java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: mshta.exe, 00000000.00000003.1534512710.0000000009FB9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1543722230.000000000358C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1534165574.0000000009FBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1535695350.0000000009CA7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546611172.000000000358C000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000002.00000003.1540422783.000000000209D000.00000004.00001000.00020000.00000000.sdmp, java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: mshta.exe, 00000000.00000003.1534512710.0000000009FB9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1534165574.0000000009FBE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1535695350.0000000009CA7000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000002.00000003.1540422783.000000000209D000.00000004.00001000.00020000.00000000.sdmp, java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Aut2exe_x64.exe.2.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Aut2exe_x64.exe.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Aut2exe_x64.exe.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Aut2exe_x64.exe.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: update.exe, 00000003.00000002.2235392415.00000000058A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfR
Source: Aut2exe_x64.exe.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Aut2exe_x64.exe.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: jucheck.exe.2.dr, jusched.exe.2.dr	String found in binary or memory: http://stackoverflow.com/a/1465386/4224163
Source: jucheck.exe.2.dr, jusched.exe.2.dr	String found in binary or memory: http://stackoverflow.com/a/15123777)
Source: jucheck.exe.2.dr, jusched.exe.2.dr	String found in binary or memory: http://stackoverflow.com/questions/1026069/capitalize-the-first-letter-of-string-in-javascript
Source: jucheck.exe.2.dr, jusched.exe.2.dr	String found in binary or memory: http://stackoverflow.com/questions/1068834/object-comparison-in-javascript
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUser
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUserResponse
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUser
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUserResponse
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfig
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfigResponse
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettings
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettingsResponse
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettings
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingsResponse
Source: officeappguardwin32.exe.2.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/R
Source: Aut2exe_x64.exe.2.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: Aut2exe_x64.exe.2.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/8
Source: jucheck.exe.2.dr, jusched.exe.2.dr	String found in binary or memory: http://www.computerhope.com/forum/index.php?topic=76293.0
Source: java.exe.2.dr, AdobeARMHelper.exe.2.dr, jucheck.exe.2.dr, unpack200.exe.2.dr, jusched.exe.2.dr, jaureg.exe.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: mshta.exe, 00000000.00000003.1543722230.000000000358C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546611172.000000000358C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hyperwrite.com/
Source: mshta.exe, 00000000.00000003.1543722230.000000000356D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546591235.0000000003559000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1543722230.0000000003559000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1547604813.0000000009139000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1543534266.000000000354F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546611172.00000000035A1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546484277.000000000351F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1543534266.00000000035A1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546484277.000000000354F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1544093302.0000000009139000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546611172.000000000356D000.00000004.00000020.00020000.00000000.sdmp, a.hta	String found in binary or memory: http://www.hyperwrite.com/features/favicon.ico
Source: mshta.exe, 00000000.00000002.1546709325.00000000035BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1541114192.00000000035B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hyperwrite.com/features/favicon.ico...s
Source: mshta.exe, 00000000.00000002.1547579160.0000000009130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hyperwrite.com/features/favicon.icoP
Source: mshta.exe, 00000000.00000002.1546611172.00000000035A1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1543534266.00000000035A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hyperwrite.com/features/favicon.icoR
Source: mshta.exe, 00000000.00000002.1546611172.00000000035A1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1543534266.00000000035A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hyperwrite.com/features/favicon.icoe
Source: mshta.exe, 00000000.00000003.1543722230.000000000356D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546611172.000000000356D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hyperwrite.com/features/favicon.icok
Source: mshta.exe, 00000000.00000003.1543722230.000000000356D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546611172.000000000356D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hyperwrite.com/features/favicon.ico~
Source: jucheck.exe.2.dr, jusched.exe.2.dr	String found in binary or memory: http://www.tutorialspoint.com/javascript/array_map.htm
Source: OcPubMgr.exe.2.dr	String found in binary or memory: http://xml.org/sax/properties/lexical-handlerhttp://xml.org/sax/features/namespace-prefixeshttp://xm
Source: msedge.exe.2.dr	String found in binary or memory: https://crashpad.chromium.org/
Source: msedge.exe.2.dr	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: msedge.exe.2.dr	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: jucheck.exe.2.dr, jusched.exe.2.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/Reduce
Source: jucheck.exe.2.dr, jusched.exe.2.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/filter
Source: jucheck.exe.2.dr, jusched.exe.2.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/indexOf
Source: jucheck.exe.2.dr, jusched.exe.2.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/Trim
Source: jucheck.exe.2.dr, jusched.exe.2.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith
Source: jucheck.exe.2.dr, jusched.exe.2.dr	String found in binary or memory: https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith
Source: msedge_proxy.exe.2.dr, msedge.exe.2.dr, msedge_pwa_launcher.exe.2.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: msedge_proxy.exe.2.dr, msedge.exe.2.dr, msedge_pwa_launcher.exe.2.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: jucheck.exe.2.dr, jusched.exe.2.dr	String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-%s.xml
Source: jucheck.exe.2.dr, jusched.exe.2.dr	String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xml
Source: jucheck.exe.2.dr, jusched.exe.2.dr	String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xmlhttps://javadl-esd-secure.oracle.com/upda
Source: mshta.exe, 00000000.00000002.1546709325.00000000035BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1541114192.00000000035B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: OLicenseHeartbeat.exe.2.dr	String found in binary or memory: https://login.windows.net/commonhttps://login.windows.netDBSFetcher::CreateRequestHeader
Source: mshta.exe, 00000000.00000002.1547604813.0000000009139000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1544093302.0000000009139000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://newshostingsupdate.com/
Source: mshta.exe, 00000000.00000002.1546611172.000000000356D000.00000004.00000020.00020000.00000000.sdmp, a.hta	String found in binary or memory: https://newshostingsupdate.com/datasing.exe
Source: mshta.exe, 00000000.00000003.1539596441.00000000091E3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1547698316.00000000091E3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1540089769.00000000091E3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1543274652.00000000091E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://newshostingsupdate.com/datasing.exeO
Source: integrator.exe.2.dr	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: integrator.exe.2.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: Aut2exe_x64.exe.2.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Aut2exe_x64.exe.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown	HTTPS traffic detected: 161.97.130.110:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 161.97.130.110:443 -> 192.168.2.8:49705 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Source: integrator.exe.2.dr

Binary or memory string: RegisterRawInputDevices

Source: Yara match	File source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2680766218.00000000004B2000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 3988, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.0.update.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Neshta Author: ditekSHen
Source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_4 Author: unknown
Source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet Author: ditekSHen
Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_4 Author: unknown
Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet Author: ditekSHen
Source: 00000006.00000002.2682704519.000000000242A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000006.00000002.2682704519.0000000002431000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000006.00000002.2682704519.00000000023D8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_4 Author: unknown
Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects DarkComet Author: ditekSHen
Source: Process Memory Space: CasPol.exe PID: 3988, type: MEMORYSTR	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: Process Memory Space: CasPol.exe PID: 3988, type: MEMORYSTR	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CasPol.exe PID: 3988, type: MEMORYSTR	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: Process Memory Space: CasPol.exe PID: 3988, type: MEMORYSTR	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: CasPol.exe PID: 3988, type: MEMORYSTR	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: CasPol.exe PID: 3988, type: MEMORYSTR	Matched rule: DarkComet_4 Author: unknown
Source: C:\Windows\svchost.com, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\update.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED	Matched rule: Detects Neshta Author: ditekSHen

Yara detected DarkComet

Source: Yara match	File source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 3988, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe

Code function: 3_2_0853FC48 CreateProcessAsUserW,

Source: C:\Users\user\AppData\Local\Temp\update.exe

File created: C:\Windows\svchost.com

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\update.exe	Code function: 2_3_01FB198B
Source: C:\Users\user\AppData\Local\Temp\update.exe	Code function: 2_3_01FBA98B
Source: C:\Users\user\AppData\Local\Temp\update.exe	Code function: 2_3_01FB6C57
Source: C:\Users\user\AppData\Local\Temp\update.exe	Code function: 2_3_01FBB221
Source: C:\Users\user\AppData\Local\Temp\update.exe	Code function: 2_3_01FB6405
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0117D354
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_072E7F18
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_072E05F0
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_072E1F50
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_07318780
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_07318770
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_07E57540
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_07E53020
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_07E53010
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0810E9D0
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0810AE18
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0810FA68
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_081062C0
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0810DB90
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_081051B0
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_081055DB
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_081051C0
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0810E9C0
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0810FA58
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0810625E
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08530C50
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08530040
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08535408
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_085314D8
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08532D40
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0853A1A8
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0853AA30
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08531EA0
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0853EB48
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08538738
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08532C61
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08533C18
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08530006
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08539031
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08533C28
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_085314C9
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08531CC9
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0853E508
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08532D0D
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_085389C8
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_085349F8
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08534DB0
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0853DDA0
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08534DA0
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08533A50
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08535250
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08535260
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08534A08
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_085332C0
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_085346FA
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08531E90
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08539750
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08534708
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08535F08
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08530F39
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08538727
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08534FD9
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_085353FA
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08534FE8
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08530B98
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08535FB8
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0853C7A0
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0DC10040
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0DC13408
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0DC10007
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0DC163E0
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0DC106C9
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0DC106D8
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_07E57515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_00402370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_004064C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_0043E644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_004389B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_0045EC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_0046ADBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_0046797C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_00469B90

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\AutoIt3\Au3Check.exe 6AB1464D7BA02FA63FDDFAF5295237352F14F7AF63E443E55D3FFB68A304C304

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Load Driver

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Security

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00407B10 appears 139 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00407B08 appears 33 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 004218E4 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00405584 appears 60 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00405530 appears 80 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 004055C8 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00405864 appears 33 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: 2.0.update.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DarkComet author = ditekSHen, description = Detects DarkComet
Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DarkComet author = ditekSHen, description = Detects DarkComet
Source: 00000006.00000002.2682704519.000000000242A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000006.00000002.2682704519.0000000002431000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000006.00000002.2682704519.00000000023D8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DarkComet author = ditekSHen, description = Detects DarkComet
Source: Process Memory Space: CasPol.exe PID: 3988, type: MEMORYSTR	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: Process Memory Space: CasPol.exe PID: 3988, type: MEMORYSTR	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: CasPol.exe PID: 3988, type: MEMORYSTR	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: Process Memory Space: CasPol.exe PID: 3988, type: MEMORYSTR	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: CasPol.exe PID: 3988, type: MEMORYSTR	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: CasPol.exe PID: 3988, type: MEMORYSTR	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: C:\Windows\svchost.com, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Users\user\AppData\Local\Temp\update.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta

Source: msedge.exe.2.dr	Binary string: @g_interceptionsntdll.dllg_originals\Device\\/?/?\\??\ntdll.dllRtlInitUnicodeStringntdll.dll\KnownDllsDeriveRestrictedAppContainerSidFromAppContainerSidAndRestrictedNameuserenvchromeInstallFileslpacChromeInstallFilesmediaFoundationCdmFileslpacMediaFoundationCdmDatalpacEdgeWdagCommslpacChromeNetworkSandboxKeyg_handles_to_close
Source: msedge.exe.2.dr	Binary string: \\.\\Device\DeviceApi\Device\DeviceApi\CMApintdll.dllHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXTHKEY_CURRENT_CONFIGHKEY_DYN_DATA\Device\\Device\HarddiskVolume

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winHTA@7/164@3/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 6_2_0048AEA8 AdjustTokenPrivileges,CloseHandle,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 6_2_0042BF5C CoCreateInstanceEx,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 6_2_0048DDE0 FindResourceA,

Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\update.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\DCMIN_MUTEX-VJDLRRX

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Temp\update.exe

Jump to behavior

Source: Yara match	File source: 6.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: integrator.exe.2.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: integrator.exe.2.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: integrator.exe.2.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: integrator.exe.2.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\a.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Users\user\AppData\Local\Temp\update.exe "C:\Users\user\AppData\Local\Temp\update.exe"
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\update.exe "C:\Users\user\AppData\Local\Temp\3582-490\update.exe"
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Users\user\AppData\Local\Temp\update.exe "C:\Users\user\AppData\Local\Temp\update.exe"
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\update.exe "C:\Users\user\AppData\Local\Temp\3582-490\update.exe"
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ieframe.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msxml3.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttpcom.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mlang.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: webio.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msdart.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\update.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: acgenral.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: msacm32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winmmbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winmmbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: avicap32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: netapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: shfolder.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wsock32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: msvfw32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: napinsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wshbth.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: nlaapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winrnr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rasadhlp.dll

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\iecontentservice.pdbb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: IEContentService.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.2.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.2.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdb source: msedge_proxy.exe.2.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.2.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdb source: MicrosoftEdgeComRegisterShellARM64.exe.2.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdbOGP source: msedge.exe.2.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdbOGP source: msedge_proxy.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb source: OLicenseHeartbeat.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\msohtmed.pdb source: MSOHTMED.EXE.2.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdb source: msedge.exe.2.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x64\ship\postc2rcross\x-none\msoxmled.pdb source: MSOXMLED.EXE.2.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.2.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.2.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.2.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb source: OcPubMgr.exe.2.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.2.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoadfsb.pdbdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoadfsb.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb source: SETLANG.EXE.2.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x64\ship\postc2rcross\x-none\msoxmled.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSOXMLED.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SETLANG.EXE.2.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdbh source: MicrosoftEdgeComRegisterShellARM64.exe.2.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.2.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb+ source: ai.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\olicenseheartbeat.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OLicenseHeartbeat.exe.2.dr
Source:	Binary string: MpCopyAccelerator.pdbGCTL source: MpCopyAccelerator.exe0.2.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\iecontentservice.pdb source: IEContentService.exe.2.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb source: ai.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OcPubMgr.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SCANPST.EXE.2.dr
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe_x64.pdb source: Aut2exe_x64.exe.2.dr
Source:	Binary string: in32.pdb source: officeappguardwin32.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.2.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\msohtmed.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: MSOHTMED.EXE.2.dr
Source:	Binary string: MpCopyAccelerator.pdb source: MpCopyAccelerator.exe0.2.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb source: SCANPST.EXE.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoadfsb.pdb source: msoadfsb.exe.2.dr

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 3.2.update.exe.7c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.update.exe.7c80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2236803635.0000000007C80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2223742390.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: update.exe PID: 1540, type: MEMORYSTR

Source: C:\Windows\SysWOW64\mshta.exe	Code function: 0_2_05DBE843 push ds; retf
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 0_2_05DBE800 push ds; retf
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 0_2_05DBE820 push ds; retf
Source: C:\Windows\SysWOW64\mshta.exe	Code function: 0_2_05DBE6CF push ds; retf
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_073125C9 push esp; retf
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_07E5F354 pushad ; retf
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_07E50DD7 push ecx; retf EFCDh
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_07E5D189 push ecx; retf 0046h
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_0810C44D push ds; retf 0040h
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08109973 push edi; ret
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_08109B7C push eax; ret
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_081013D8 push eax; iretd
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Code function: 3_2_085304E5 push edi; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_004186D4 push ecx; mov dword ptr [esp], edx
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_0048F0AC push 0048F125h; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_0048F6D4 push 0048F761h; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_00482058 push 004820C2h; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_0045E078 push 0045E0DEh; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_004220E0 push ecx; mov dword ptr [esp], ecx
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_004660F8 push 00466130h; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_0042E138 push 0042E170h; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_004741C8 push 00474206h; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_004041DC push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_0046224C push 00462284h; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_00464228 push ecx; mov dword ptr [esp], edx
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_004482C4 push 0044832Eh; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_0041632A push 004163A2h; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_0041632C push 004163A2h; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_0048E3AC push 0048E3DCh; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_0046E3A0 push 0046E3EDh; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_004204E4 push ecx; mov dword ptr [esp], edx

Source: update.exe.2.dr, Hs3r.cs	High entropy of concatenated method names: 'Dj8', 'Pz3', 'Jp1', 'MoveNext', 'f1K', 'SetStateMachine', 'Pa59', 'Yq2m', 'p4D3', 'Fp1s'
Source: update.exe.2.dr, o5Z.cs	High entropy of concatenated method names: 'm5B', 'Sk9', 'p1P', 'Ln6', 'Lm0', 'm5C', 'Me9', 'j5L', 'Bt4', 'k5J'

Persistence and Installation Behavior

Yara detected Neshta

Source: Yara match	File source: 2.0.update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1535415846.0000000009B83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1838576344.0000000000409000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: update.exe PID: 6168, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\update.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\update.exe

File created: C:\Windows\svchost.com

Drops executable to a common third party application directory

Source: C:\Users\user\AppData\Local\Temp\update.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Windows\svchost.com
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\mshta.exe	File created: C:\Users\user\AppData\Local\Temp\update.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Users\user\AppData\Local\Temp\3582-490\update.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe

Source: C:\Users\user\AppData\Local\Temp\update.exe

File created: C:\Windows\svchost.com

Boot Survival

Yara detected Neshta

Source: Yara match	File source: 2.0.update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1535415846.0000000009B83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1838576344.0000000000409000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: update.exe PID: 6168, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\update.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\update.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\update.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe

File opened: C:\Users\user\AppData\Local\Temp\3582-490\update.exe\:Zone.Identifier read attributes | delete

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: update.exe PID: 1540, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Memory allocated: 1170000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Memory allocated: 2E20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Memory allocated: 4E20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Memory allocated: 8540000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Memory allocated: 9540000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Memory allocated: 9720000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Memory allocated: A720000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Memory allocated: AAD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Memory allocated: BAD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Memory allocated: CAD0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Window / User API: threadDelayed 2743
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Window / User API: threadDelayed 7088

Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Windows\svchost.com
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

Source: C:\Windows\SysWOW64\mshta.exe TID: 6500	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe TID: 2288	Thread sleep time: -36893488147419080s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe TID: 2288	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3536	Thread sleep time: -48000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Thread delayed: delay time: 30000

Source: C:\Users\user\AppData\Local\Temp\update.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\ie\
Source: C:\Users\user\AppData\Local\Temp\update.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\
Source: C:\Users\user\AppData\Local\Temp\update.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\
Source: C:\Users\user\AppData\Local\Temp\update.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\
Source: C:\Users\user\AppData\Local\Temp\update.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\
Source: C:\Users\user\AppData\Local\Temp\update.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\resources\ui\font\regular\

Source: update.exe, 00000002.00000002.1838802975.000000000064E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MS3E67~1.PS1MSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: update.exe, 00000003.00000002.2236803635.0000000007C80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxTray
Source: mshta.exe, 00000000.00000003.1543722230.000000000356D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1547604813.0000000009139000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546611172.00000000035A1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1543534266.00000000035A1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1544093302.0000000009139000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546611172.000000000356D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000000.00000003.1544093302.0000000009139000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: CasPol.exe, 00000006.00000002.2682266522.000000000076A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
Source: update.exe, 00000003.00000002.2236803635.0000000007C80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: 2051979379GSOFTWARE\VMware, Inc.\VMware VGAuth

Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and write

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: C:\Users\user\AppData\Local\Temp\update.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47D000
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 4B6000
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 3C3008

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Users\user\AppData\Local\Temp\update.exe "C:\Users\user\AppData\Local\Temp\update.exe"
Source: C:\Users\user\AppData\Local\Temp\update.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\update.exe "C:\Users\user\AppData\Local\Temp\3582-490\update.exe"
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

Source: CasPol.exe, 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh<
Source: CasPol.exe, 00000006.00000002.2682704519.000000000242A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: CasPol.exe, CasPol.exe, 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: CasPol.exe, CasPol.exe, 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Progman
Source: CasPol.exe, 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndjjh
Source: CasPol.exe, 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Progmanjhh
Source: CasPol.exe, 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Shell_traywndTrayNotifyWndjh
Source: CasPol.exe, 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: ProgmanU
Source: CasPol.exe, 00000006.00000002.2682704519.000000000242A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager`
Source: CasPol.exe, 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh
Source: CasPol.exe, 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: ButtonShell_TrayWndj
Source: CasPol.exe, 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Shell_traywndReBarWindow32jh
Source: CasPol.exe, 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Shell_traywndReBarWindow32jhD
Source: CasPol.exe, CasPol.exe, 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Shell_traywnd
Source: CasPol.exe, 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndPjjh

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,GetLocaleInfoA,LoadLibraryExA,LoadLibraryExA,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: GetLocaleInfoA,LoadLibraryExA,LoadLibraryExA,

Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\3582-490\update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\3582-490\update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: update.exe, 00000002.00000002.1838802975.00000000005DB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe

Stealing of Sensitive Information

Yara detected Neshta

Source: Yara match	File source: 2.0.update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1535415846.0000000009B83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1838576344.0000000000409000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: update.exe PID: 6168, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\svchost.com, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\update.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	Windows Management Instrumentation	1 LSASS Driver	1 LSASS Driver	11 Disable or Modify Tools	111 Input Capture	2 File and Directory Discovery	1 Taint Shared Content	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	1 Email Collection	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Valid Accounts	1 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	111 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	11 Access Token Manipulation	1 DLL Side-Loading	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	312 Process Injection	221 Masquerading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	114 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 Valid Accounts	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
a.hta	11%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Uninstall.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Avira	W32/Neshta.A
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\Au3Info.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	97%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\Uninstall.exe	95%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	97%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	100%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	100%	ReversingLabs	Win32.Virus.Neshta

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.hyperwrite.com	216.158.90.138	true	false	unknown
datacenterclient.ddns.net	5.252.53.95	true	true	unknown
newshostingsupdate.com	161.97.130.110	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://newshostingsupdate.com/datasing.exe	true		unknown
http://www.hyperwrite.com/features/favicon.ico	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith	jucheck.exe.2.dr, jusched.exe.2.dr	false		unknown
http://aka.ms/sdxdebug	msoadfsb.exe.2.dr	false		unknown
https://crashpad.chromium.org/bug/new	msedge.exe.2.dr	false		unknown
http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service	officeappguardwin32.exe.2.dr	false		unknown
http://stackoverflow.com/a/15123777)	jucheck.exe.2.dr, jusched.exe.2.dr	false		unknown
http://tempuri.org/	officeappguardwin32.exe.2.dr	false		unknown
http://www.computerhope.com/forum/index.php?topic=76293.0	jucheck.exe.2.dr, jusched.exe.2.dr	false		unknown
https://www.autoitscript.com/autoit3/	Aut2exe_x64.exe.2.dr	false		unknown
http://xml.org/sax/properties/lexical-handlerhttp://xml.org/sax/features/namespace-prefixeshttp://xm	OcPubMgr.exe.2.dr	false		unknown
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	msedge.exe.2.dr	false		unknown
http://tempuri.org/IRoamingSettingsService/WriteSettingsResponse	officeappguardwin32.exe.2.dr	false		unknown
http://purl.oen	update.exe, 00000003.00000002.2235392415.00000000058A3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://tempuri.org/IRoamingSettingsService/ReadSettings	officeappguardwin32.exe.2.dr	false		unknown
http://stackoverflow.com/a/1465386/4224163	jucheck.exe.2.dr, jusched.exe.2.dr	false		unknown
http://www.tutorialspoint.com/javascript/array_map.htm	jucheck.exe.2.dr, jusched.exe.2.dr	false		unknown
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith	msedge_proxy.exe.2.dr, msedge.exe.2.dr, msedge_pwa_launcher.exe.2.dr	false		unknown
http://tempuri.org/IRoamingSettingsService/GetConfigResponse	officeappguardwin32.exe.2.dr	false		unknown
http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/R	officeappguardwin32.exe.2.dr	false		unknown
http://tempuri.org/IRoamingSettingsService/DisableUser	officeappguardwin32.exe.2.dr	false		unknown
http://www.hyperwrite.com/	mshta.exe, 00000000.00000003.1543722230.000000000358C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546611172.000000000358C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://newshostingsupdate.com/datasing.exeO	mshta.exe, 00000000.00000003.1539596441.00000000091E3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1547698316.00000000091E3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1540089769.00000000091E3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1543274652.00000000091E3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.autoitscript.com/autoit3/8	Aut2exe_x64.exe.2.dr	false		unknown
https://newshostingsupdate.com/	mshta.exe, 00000000.00000002.1547604813.0000000009139000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1544093302.0000000009139000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://es5.github.io/#x15.4.4.21	jucheck.exe.2.dr, jusched.exe.2.dr	false		unknown
http://tempuri.org/IRoamingSettingsService/EnableUserResponse	officeappguardwin32.exe.2.dr	false		unknown
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith	jucheck.exe.2.dr, jusched.exe.2.dr	false		unknown
http://tempuri.org/IRoamingSettingsService/WriteSettings	officeappguardwin32.exe.2.dr	false		unknown
https://crashpad.chromium.org/	msedge.exe.2.dr	false		unknown
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/filter	jucheck.exe.2.dr, jusched.exe.2.dr	false		unknown
http://www.hyperwrite.com/features/favicon.icoe	mshta.exe, 00000000.00000002.1546611172.00000000035A1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1543534266.00000000035A1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xmlhttps://javadl-esd-secure.oracle.com/upda	jucheck.exe.2.dr, jusched.exe.2.dr	false		unknown
http://https://ftp://.htmlGot	MSOHTMED.EXE.2.dr	false		unknown
http://tempuri.org/IRoamingSettingsService/DisableUserResponse	officeappguardwin32.exe.2.dr	false		unknown
http://java.sun.comnot	jucheck.exe.2.dr	false		unknown
http://www.hyperwrite.com/features/favicon.icoP	mshta.exe, 00000000.00000002.1547579160.0000000009130000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_ErrorError	Uninstall.exe.2.dr	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/	Aut2exe_x64.exe.2.dr	false		unknown
http://www.hyperwrite.com/features/favicon.ico...s	mshta.exe, 00000000.00000002.1546709325.00000000035BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1541114192.00000000035B9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.hyperwrite.com/features/favicon.icoR	mshta.exe, 00000000.00000002.1546611172.00000000035A1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1543534266.00000000035A1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://javadl-esd-secure.oracle.com/update/%s/map-%s.xml	jucheck.exe.2.dr, jusched.exe.2.dr	false		unknown
https://login.windows.net/commonhttps://login.windows.netDBSFetcher::CreateRequestHeader	OLicenseHeartbeat.exe.2.dr	false		unknown
http://java.sun.com	jucheck.exe.2.dr	false		unknown
http://stackoverflow.com/questions/1026069/capitalize-the-first-letter-of-string-in-javascript	jucheck.exe.2.dr, jusched.exe.2.dr	false		unknown
https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xml	jucheck.exe.2.dr, jusched.exe.2.dr	false		unknown
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/Reduce	jucheck.exe.2.dr, jusched.exe.2.dr	false		unknown
http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfR	officeappguardwin32.exe.2.dr	false		unknown
http://www.hyperwrite.com/features/favicon.ico~	mshta.exe, 00000000.00000003.1543722230.000000000356D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546611172.000000000356D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://tempuri.org/IRoamingSettingsService/GetConfig	officeappguardwin32.exe.2.dr	false		unknown
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/Trim	jucheck.exe.2.dr, jusched.exe.2.dr	false		unknown
http://www.hyperwrite.com/features/favicon.icok	mshta.exe, 00000000.00000003.1543722230.000000000356D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546611172.000000000356D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://stackoverflow.com/questions/1068834/object-comparison-in-javascript	jucheck.exe.2.dr, jusched.exe.2.dr	false		unknown
http://tempuri.org/IRoamingSettingsService/ReadSettingsResponse	officeappguardwin32.exe.2.dr	false		unknown
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	integrator.exe.2.dr	false		unknown
http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects	officeappguardwin32.exe.2.dr	false		unknown
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/indexOf	jucheck.exe.2.dr, jusched.exe.2.dr	false		unknown
http://tempuri.org/IRoamingSettingsService/EnableUser	officeappguardwin32.exe.2.dr	false		unknown
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff	msedge_proxy.exe.2.dr, msedge.exe.2.dr, msedge_pwa_launcher.exe.2.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
161.97.130.110	newshostingsupdate.com	United States	51167	CONTABODE	true
5.252.53.95	datacenterclient.ddns.net	Germany	11404	AS-WAVE-1US	true
216.158.90.138	www.hyperwrite.com	United States	18450	WEBNXUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546207
Start date and time:	2024-10-31 16:21:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 55s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	a.hta
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winHTA@7/164@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 91% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
TCP Packets have been reduced to 100
Created / dropped Files have been reduced to 100
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 6824 because there are no executed function
Execution Graph export aborted for target update.exe, PID 6168 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: a.hta

Simulations

Behavior and APIs

Time	Type	Description
11:22:13	API Interceptor	1x Sleep call for process: mshta.exe modified
11:22:18	API Interceptor	206x Sleep call for process: update.exe modified

Process:	C:\Users\user\AppData\Local\Temp\update.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	275560
Entropy (8bit):	6.2970746701197715
Encrypted:	false
SSDEEP:	3072:sr85CqP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0BwOvOIXM:k9q4VQjVsxyItKQNhigibKCM
MD5:	C5611345B2807155BF89ECA90379AB14
SHA1:	03A0F7BD2A50895DF6A9311DB3E5C58B574E1BA3
SHA-256:	6AB1464D7BA02FA63FDDFAF5295237352F14F7AF63E443E55D3FFB68A304C304
SHA-512:	18C164973DE987AD9ED1CFCB2AE5557238692B5C50E0F8B8DCECF0B11B2DADBA6C0B5990C532AE8DB578F04BD1CAB3086C78493866C8B989A41DD6251693CA98
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: Joe Security Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Reputation:	moderate, very likely benign file
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t......................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

File type:	HTML document, ASCII text, with CRLF line terminators
Entropy (8bit):	4.854334721317842
TrID:	HyperText Markup Language (12001/1) 40.67% HyperText Markup Language (11501/1) 38.98% HyperText Markup Language (6006/1) 20.35%
File name:	a.hta
File size:	2'205 bytes
MD5:	9d17c4b02df4c09f0912771f0768ff44
SHA1:	97c2da4a8ab00dd13a08a202b6735a323711eadc
SHA256:	7ac2fc998131815c7796e3f6f308a5c194e8cb0f1ba7fb6cc04f167d0b867de8
SHA512:	328df1895e897f6cff164b30c00003d7a5fa11a7665018d676f98e4753c3c5a0b4b183bd6c83e6f873452009b051a8302da821164038d36d35da9b1d0e478c15
SSDEEP:	48:WnvgO2S2IXDMjNsJWRGYjXPd50anePtpBk+P:gx/ojNsYgYL0oqVP
TLSH:	2F41019A591057745B32A3B5EB6EB354D667542F0242CA10382E9A4BBF3100BC535BEF
File Content Preview:	<html>..<head>..<HTA:APPLICATION id="hwHTA".. applicationName="hyperHTA".. border="thin".. borderStyle="normal".. caption="no" .. icon="http://www.hyperwrite.com/features/favicon.ico".. maximizeButton="no".. minimizeButton="no".. s

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 16:22:06.744777918 CET	49704	80	192.168.2.8	216.158.90.138
Oct 31, 2024 16:22:06.749686003 CET	80	49704	216.158.90.138	192.168.2.8
Oct 31, 2024 16:22:06.749759912 CET	49704	80	192.168.2.8	216.158.90.138
Oct 31, 2024 16:22:06.749979019 CET	49704	80	192.168.2.8	216.158.90.138
Oct 31, 2024 16:22:06.755429029 CET	80	49704	216.158.90.138	192.168.2.8
Oct 31, 2024 16:22:07.430119991 CET	80	49704	216.158.90.138	192.168.2.8
Oct 31, 2024 16:22:07.430138111 CET	80	49704	216.158.90.138	192.168.2.8
Oct 31, 2024 16:22:07.430227995 CET	49704	80	192.168.2.8	216.158.90.138
Oct 31, 2024 16:22:07.453582048 CET	49704	80	192.168.2.8	216.158.90.138
Oct 31, 2024 16:22:07.453610897 CET	49704	80	192.168.2.8	216.158.90.138
Oct 31, 2024 16:22:08.229604006 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:08.229650021 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:08.229753017 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:08.233573914 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:08.233602047 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.158674955 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.158883095 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:09.162796974 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:09.162808895 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.163086891 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.213705063 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:09.231513977 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:09.275341034 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.550162077 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.604310989 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:09.749561071 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.749572992 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.749625921 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.749644041 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.749659061 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.749735117 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:09.749768972 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.749784946 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:09.749814034 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:09.864959002 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.864972115 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.865019083 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.865112066 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:09.865144014 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.865159035 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:09.865190029 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:09.980576038 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.980618954 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.980659962 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:09.980736017 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:09.980776072 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:09.980802059 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.095954895 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.095977068 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.096077919 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.096102953 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.096148014 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.218457937 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.218482018 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.218627930 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.218676090 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.218734026 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.326428890 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.326457024 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.326504946 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.326544046 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.326561928 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.326647043 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.441713095 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.441739082 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.441847086 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.441879034 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.441926956 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.560905933 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.560940027 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.560996056 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.561008930 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.561044931 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.561065912 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.564130068 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.564157963 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.564230919 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.564239025 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.564266920 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.564282894 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.679352045 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.679377079 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.679474115 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.679543972 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.679591894 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.788022995 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.788043976 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.788213968 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.788235903 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.788283110 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.902976990 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.902998924 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.903053045 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.903069973 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.903090000 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.903110981 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.909812927 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.909831047 CET	443	49705	161.97.130.110	192.168.2.8
Oct 31, 2024 16:22:10.909878969 CET	49705	443	192.168.2.8	161.97.130.110
Oct 31, 2024 16:22:10.909889936 CET	443	49705	161.97.130.110	192.168.2.8

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 16:22:06.184504986 CET	61721	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:22:06.714348078 CET	53	61721	1.1.1.1	192.168.2.8
Oct 31, 2024 16:22:08.213752985 CET	51290	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:22:08.228142977 CET	53	51290	1.1.1.1	192.168.2.8
Oct 31, 2024 16:23:22.646210909 CET	49404	53	192.168.2.8	1.1.1.1
Oct 31, 2024 16:23:22.656228065 CET	53	49404	1.1.1.1	192.168.2.8

Target ID:	0
Start time:	11:22:04
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\a.hta"
Imagebase:	0x370000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000000.00000003.1535415846.0000000009B83000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Target ID:	6
Start time:	11:22:48
Start date:	31/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Imagebase:	0x20000
File size:	108'664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.2680766218.00000000004B2000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: DarkComet_2, Description: DarkComet, Source: 00000006.00000002.2682704519.000000000242A000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 00000006.00000002.2682704519.0000000002431000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 00000006.00000002.2682704519.00000000023D8000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkCometRat, Description: Yara detected DarkComet, Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Darkcomet_1df27bcc, Description: unknown, Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: DarkComet_1, Description: DarkComet RAT, Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: botherder https://github.com/botherder Rule: DarkComet_3, Description: unknown, Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: DarkComet_4, Description: unknown, Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_DarkComet, Description: Detects DarkComet, Source: 00000006.00000002.2680766218.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report a.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DarkComet

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

C:\Program Files (x86)\AutoIt3\Au3Info.exe

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files (x86)\AutoIt3\Uninstall.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Windows Analysis Report
a.hta

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre