Edit tour

Windows Analysis Report
#U65b0#U7248#U7f51#U5173Srv.exe

Overview

General Information

Sample name:	#U65b0#U7248#U7f51#U5173Srv.exe renamed because original name is a hash value
Original sample name:	Srv.exe
Analysis ID:	1558247
MD5:	64956bf404c5abad670a958c45ece564
SHA1:	2c071527c691eb001777abaad5b9d5c7ca7c1b53
SHA256:	90dd057ac1bdec6b27174681b857af28e2ddd05f84b7536eecd28cf6cc1a1189
Tags:	exemalwareuser-Joker
Infos:

Detection

Bdaejec, Neshta, Ramnit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Bdaejec

Yara detected Neshta

Yara detected Ramnit

AI detected suspicious sample

Creates an undocumented autostart registry key

Drops PE files with a suspicious file extension

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Sample is not signed and drops a device driver

AV process strings found (often used to terminate AV products)

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain (may stop execution after checking a module file name)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May infect USB drives

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential browser exploit detected (process start blacklist hit)

Sample file is different than original file name gathered from version info

Sigma detected: Classes Autorun Keys Modification

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Process Tree

System is w10x64

#U65b0#U7248#U7f51#U5173Srv.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe" MD5: 64956BF404C5ABAD670A958C45ECE564)

#U65b0#U7248#U7f51#U5173Srv.exe (PID: 3712 cmdline: "C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe" MD5: 118210E9670E09029643A6866859CFF7)

uvkTKBif.exe (PID: 5144 cmdline: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)

WerFault.exe (PID: 8720 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 1556 MD5: C31336C1EFC2CCB44B4326EA793040F2)

DesktopLayer.exe (PID: 3176 cmdline: "C:\Program Files (x86)\Microsoft\DesktopLayer.exe" MD5: 118210E9670E09029643A6866859CFF7)

iexplore.exe (PID: 6672 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" MD5: CFE2E6942AC1B72981B3105E22D3224E)

iexplore.exe (PID: 2520 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6672 CREDAT:17410 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)

svchost.com (PID: 5908 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1047a MD5: 2F50ACA08FFC461C86E8FB5BBEDDA142)

ie_to_edge_stub.exe (PID: 4308 cmdline: C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe --from-ie-to-edge=3 --ie-frame-hwnd=1047a MD5: 89CF8972D683795DAB6901BC9456675D)

svchost.com (PID: 7212 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1047a MD5: 2F50ACA08FFC461C86E8FB5BBEDDA142)

msedge.exe (PID: 7228 cmdline: C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=1047a MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7476 cmdline: "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=2124,i,13587844842802440522,10807369144858660475,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

svchost.com (PID: 2876 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new MD5: 2F50ACA08FFC461C86E8FB5BBEDDA142)

ssvagent.exe (PID: 7176 cmdline: C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe -new MD5: F9A898A606E7F5A1CD7CFFA8079253A0)

svchost.com (PID: 7544 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1047a --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 2F50ACA08FFC461C86E8FB5BBEDDA142)

msedge.exe (PID: 7624 cmdline: C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=1047a --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7944 cmdline: "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2844 --field-trial-handle=2632,i,6985036185838690149,17869082300210821923,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8620 cmdline: "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5764 --field-trial-handle=2632,i,6985036185838690149,17869082300210821923,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
neshta	Neshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."	No Attribution	https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html https://www.mandiant.com/resources/pe-file-infecting-malware-ot https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest https://www.virusradar.com/en/Win32_Neshta.A/description	https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta

Name	Description	Attribution	Blogpost URLs	Link
Ramnit	According to Check Point, Ramnit is primarily a banking trojan, meaning that its purpose is to steal login credentials for online banking, which cybercriminals can sell or use in future attacks. For this reason, Ramnit primarily targets individuals rather than focusing on particular industries.Ramnit campaigns have been observed to target organizations in particular industries. For example, a 2019 campaign targeted financial organizations in the United Kingdom, Italy, and Canada.	No Attribution	http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html http://www.secureworks.com/research/threat-profiles/gold-fairfax http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html https://artik.blue/malware4	https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.2047853106.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
00000000.00000002.2836381813.0000000000409000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
00000004.00000002.2055030585.0000000000400000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 6544	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 3712	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
Process Memory Space: uvkTKBif.exe PID: 5144	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
Process Memory Space: DesktopLayer.exe PID: 3176	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.DesktopLayer.exe.400000.0.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
1.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.raw.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
1.0.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.unpack	MAL_Ramnit_May19_1	Detects Ramnit malware	Florian Roth
1.2.#U65b0#U7248#U7f51#U5173Srv.exe.404031.1.raw.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
4.2.DesktopLayer.exe.404031.1.raw.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
4.2.DesktopLayer.exe.400000.0.raw.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
4.0.DesktopLayer.exe.400000.0.unpack	MAL_Ramnit_May19_1	Detects Ramnit malware	Florian Roth
1.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.unpack	JoeSecurity_Ramnit	Yara detected Ramnit	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Classes Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\svchost.com "%1" %*, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe, ProcessId: 6544, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1047a, CommandLine: "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1047a, CommandLine|base64offset|contains: o{h`, Image: C:\Windows\svchost.com, NewProcessName: C:\Windows\svchost.com, OriginalFileName: C:\Windows\svchost.com, ParentCommandLine: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6672 CREDAT:17410 /prefetch:2, ParentImage: C:\Program Files (x86)\Internet Explorer\iexplore.exe, ParentProcessId: 2520, ParentProcessName: iexplore.exe, ProcessCommandLine: "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1047a, ProcessId: 5908, ProcessName: svchost.com

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Program Files\Internet Explorer\iexplore.exe, ProcessId: 6672, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe

Suricata Signatures

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-19T09:05:59.317082+0100	2838522	1	Malware Command and Control Activity Detected	192.168.2.5	54167	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: #U65b0#U7248#U7f51#U5173Srv.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k1.raros	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar%p	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net/	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Delf.I

Multi AV Scanner detection for domain / URL

Source: ddos.dnsnb8.net	Virustotal: Detection: 8%			Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k1.rar%p	Virustotal: Detection: 10%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	ReversingLabs: Detection: 93%
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	ReversingLabs: Detection: 96%

Multi AV Scanner detection for submitted file

Source: #U65b0#U7248#U7f51#U5173Srv.exe	ReversingLabs: Detection: 97%
Source: #U65b0#U7248#U7f51#U5173Srv.exe	Virustotal: Detection: 87%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: #U65b0#U7248#U7f51#U5173Srv.exe

Joe Sandbox ML: detected

Source: #U65b0#U7248#U7f51#U5173Srv.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.7.dr, pwahelper.exe0.7.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb@@4 source: jp2launcher.exe.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\selfcert.pdb source: SELFCERT.EXE.7.dr
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*`r source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051117990.000000000210C000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051185492.0000000002116000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051117990.000000000210C000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051185492.0000000002116000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\delivery\x-none\ose.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OSE.EXE.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\iecontentservice.pdbb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: IEContentService.exe.7.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\SpreadsheetCompare.pdb source: SPREADSHEETCOMPARE.EXE.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.7.dr
Source:	Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb# source: aimgr.exe.0.dr
Source:	Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdateOnDemand.exe.7.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
Source:	Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdb source: MicrosoftEdgeComRegisterShellARM64.exe.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051117990.000000000210C000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051138210.0000000002115000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051185492.0000000002116000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.7.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.7.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb source: OcPubMgr.exe.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
Source:	Binary string: r.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: WINLOA~1.PDB source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051117990.000000000210C000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051138210.0000000002115000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051185492.0000000002116000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb source: jp2launcher.exe.7.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.7.dr
Source:	Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\onenote.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: ONENOTE.EXE.7.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb source: aimgr.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe.0.dr
Source:	Binary string: AppVDllSurrogate32.pdb source: AppVDllSurrogate32.exe.7.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\delivery\x-none\ose.pdb source: OSE.EXE.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\selfcert.pdbT.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SELFCERT.EXE.7.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdbh source: MicrosoftEdgeComRegisterShellARM64.exe.7.dr
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr
Source:	Binary string: GoogleUpdateBroker_unsigned.pdb source: GoogleUpdateBroker.exe.7.dr
Source:	Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: AppVlp.pdb source: AppVLP.exe.7.dr
Source:	Binary string: @ntkrnlmp.pdb source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051117990.000000000210C000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb source: LICLUA.EXE.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\onenote.pdb source: ONENOTE.EXE.7.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb+ source: ai.exe.7.dr
Source:	Binary string: @winload_prod.pdbj source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051117990.000000000210C000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051138210.0000000002115000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051185492.0000000002116000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
Source:	Binary string: AppVDllSurrogate32.pdbGCTL source: AppVDllSurrogate32.exe.7.dr
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.7.dr
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\. source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051117990.000000000210C000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051185492.0000000002116000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb8 source: javaws.exe0.7.dr
Source:	Binary string: @winload_prod.pdb source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051117990.000000000210C000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051138210.0000000002115000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051185492.0000000002116000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\iecontentservice.pdb source: IEContentService.exe.7.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb source: ai.exe.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OcPubMgr.exe.7.dr
Source:	Binary string: lper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: LICLUA.EXE.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
Source:	Binary string: T.pdb source: SELFCERT.EXE.7.dr
Source:	Binary string: in32.pdb source: officeappguardwin32.exe.7.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.7.dr, pwahelper.exe0.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.7.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.7.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb source: javaws.exe0.7.dr
Source:	Binary string: AppVlp.pdbGCTL source: AppVLP.exe.7.dr
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\.xs source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051117990.000000000210C000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051185492.0000000002116000.00000004.00001000.00020000.00000000.sdmp

Spreading

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2836381813.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 6544, type: MEMORYSTR

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior

Source: #U65b0#U7248#U7f51#U5173Srv.exe	Binary or memory string: [autorun] action=Open icon=%%WinDir%%\system32\shell32.dll,4 shellexecute=.\%s shell\explore\command=.\%s USEAUTOPLAY=1 shell\Open\command=.\%s
Source: #U65b0#U7248#U7f51#U5173Srv.exe	Binary or memory string: autorun.inf
Source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000001.00000002.2047853106.0000000000400000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: autorun.inf
Source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000001.00000002.2047853106.0000000000400000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: [autorun]
Source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000001.00000002.2047853106.0000000000400000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: //--></SCRIPT>RmNautorun.infRECYCLER.exe[autorun]
Source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000001.00000002.2047853106.0000000000400000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: //--></SCRIPT>RmNautorun.infRECYCLER.exe[autorun]
Source: DesktopLayer.exe	Binary or memory string: [autorun] action=Open icon=%%WinDir%%\system32\shell32.dll,4 shellexecute=.\%s shell\explore\command=.\%s USEAUTOPLAY=1 shell\Open\command=.\%s
Source: DesktopLayer.exe	Binary or memory string: autorun.inf
Source: DesktopLayer.exe, 00000004.00000002.2055030585.0000000000400000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: autorun.inf
Source: DesktopLayer.exe, 00000004.00000002.2055030585.0000000000400000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: [autorun]
Source: DesktopLayer.exe, 00000004.00000002.2055030585.0000000000400000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: //--></SCRIPT>RmNautorun.infRECYCLER.exe[autorun]
Source: DesktopLayer.exe, 00000004.00000002.2055030585.0000000000400000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: //--></SCRIPT>RmNautorun.infRECYCLER.exe[autorun]

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 1_2_004011DF FindFirstFileA,FindClose,	1_2_004011DF
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Code function: 2_2_007829E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	2_2_007829E2
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 4_2_004011DF FindFirstFileA,FindClose,	4_2_004011DF

Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe

Code function: 2_2_00782B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00782B8C

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File opened: C:\Documents and Settings\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Process created: C:\Windows\svchost.com

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2838522 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup : 192.168.2.5:54167 -> 1.1.1.1:53

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 44.221.84.105:799

Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 44.221.84.105 44.221.84.105

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe

Code function: 2_2_00781099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

2_2_00781099

Source: global traffic	DNS traffic detected: DNS query: ddos.dnsnb8.net
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: SELFCERT.EXE.7.dr	String found in binary or memory: http://%s/r/rlidVBASelfCert?clid=%d1.3.6.1.5.5.7.3.32.5.29.372.5.29.11.2.840.113549.1.1.5SelfSignedC
Source: uvkTKBif.exe, 00000002.00000002.3310500480.0000000000783000.00000002.00000001.01000000.00000006.sdmp, uvkTKBif.exe, 00000002.00000003.2043995962.00000000007F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: integrator.exe.7.dr	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: Uninstall.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: jp2launcher.exe.7.dr, GoogleUpdateOnDemand.exe.7.dr, GoogleUpdateBroker.exe.7.dr, javaws.exe0.7.dr, AdobeARMHelper.exe.7.dr, unpack200.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Uninstall.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: jp2launcher.exe.7.dr, GoogleUpdateOnDemand.exe.7.dr, GoogleUpdateBroker.exe.7.dr, javaws.exe0.7.dr, AdobeARMHelper.exe.7.dr, unpack200.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: jp2launcher.exe.7.dr, GoogleUpdateOnDemand.exe.7.dr, GoogleUpdateBroker.exe.7.dr, javaws.exe0.7.dr, AdobeARMHelper.exe.7.dr, unpack200.exe.0.dr, Uninstall.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: jp2launcher.exe.7.dr, GoogleUpdateOnDemand.exe.7.dr, GoogleUpdateBroker.exe.7.dr, javaws.exe0.7.dr, AdobeARMHelper.exe.7.dr, unpack200.exe.0.dr, Uninstall.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Aut2exe.exe.7.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Aut2exe.exe.7.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Aut2exe.exe.7.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Aut2exe.exe.7.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Aut2exe.exe.7.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: jp2launcher.exe.7.dr, GoogleUpdateOnDemand.exe.7.dr, GoogleUpdateBroker.exe.7.dr, javaws.exe0.7.dr, AdobeARMHelper.exe.7.dr, unpack200.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Uninstall.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Uninstall.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: jp2launcher.exe.7.dr, GoogleUpdateOnDemand.exe.7.dr, GoogleUpdateBroker.exe.7.dr, javaws.exe0.7.dr, AdobeARMHelper.exe.7.dr, unpack200.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: jp2launcher.exe.7.dr, GoogleUpdateOnDemand.exe.7.dr, GoogleUpdateBroker.exe.7.dr, javaws.exe0.7.dr, AdobeARMHelper.exe.7.dr, unpack200.exe.0.dr, Uninstall.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: unpack200.exe.0.dr, Uninstall.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Uninstall.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Uninstall.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Uninstall.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: jp2launcher.exe.7.dr, GoogleUpdateOnDemand.exe.7.dr, GoogleUpdateBroker.exe.7.dr, javaws.exe0.7.dr, unpack200.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AdobeARMHelper.exe.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Uninstall.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: uvkTKBif.exe, 00000002.00000002.3310982399.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/
Source: uvkTKBif.exe, 00000002.00000002.3310982399.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, uvkTKBif.exe, 00000002.00000002.3310982399.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: uvkTKBif.exe, 00000002.00000002.3311455745.000000000289A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar%p
Source: uvkTKBif.exe, 00000002.00000002.3310982399.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.raros
Source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000002.2836301122.0000000000190000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.7.dr, Uninstall.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: jp2launcher.exe.7.dr, GoogleUpdateOnDemand.exe.7.dr, GoogleUpdateBroker.exe.7.dr, javaws.exe0.7.dr, AdobeARMHelper.exe.7.dr, unpack200.exe.0.dr, Uninstall.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: jp2launcher.exe.7.dr, GoogleUpdateOnDemand.exe.7.dr, GoogleUpdateBroker.exe.7.dr, javaws.exe0.7.dr, AdobeARMHelper.exe.7.dr, unpack200.exe.0.dr, Uninstall.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: jp2launcher.exe.7.dr, GoogleUpdateOnDemand.exe.7.dr, GoogleUpdateBroker.exe.7.dr, javaws.exe0.7.dr, AdobeARMHelper.exe.7.dr, unpack200.exe.0.dr, Uninstall.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Uninstall.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: jp2launcher.exe.7.dr, GoogleUpdateOnDemand.exe.7.dr, GoogleUpdateBroker.exe.7.dr, javaws.exe0.7.dr, AdobeARMHelper.exe.7.dr, unpack200.exe.0.dr, Uninstall.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Aut2exe.exe.7.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Aut2exe.exe.7.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Aut2exe.exe.7.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Aut2exe.exe.7.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: officeappguardwin32.exe.7.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service
Source: officeappguardwin32.exe.7.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects
Source: officeappguardwin32.exe.7.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfR
Source: Aut2exe.exe.7.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Aut2exe.exe.7.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: officeappguardwin32.exe.7.dr	String found in binary or memory: http://tempuri.org/
Source: SPREADSHEETCOMPARE.EXE.7.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: officeappguardwin32.exe.7.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUser
Source: officeappguardwin32.exe.7.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUserResponse
Source: officeappguardwin32.exe.7.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUser
Source: officeappguardwin32.exe.7.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUserResponse
Source: officeappguardwin32.exe.7.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfig
Source: officeappguardwin32.exe.7.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfigResponse
Source: officeappguardwin32.exe.7.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettings
Source: officeappguardwin32.exe.7.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettingsResponse
Source: officeappguardwin32.exe.7.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettings
Source: officeappguardwin32.exe.7.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingsResponse
Source: officeappguardwin32.exe.7.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/R
Source: Amcache.hve.22.dr	String found in binary or memory: http://upx.sf.net
Source: Aut2exe.exe.7.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: Aut2exe.exe.7.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/8
Source: jp2launcher.exe.7.dr, GoogleUpdateOnDemand.exe.7.dr, GoogleUpdateBroker.exe.7.dr, javaws.exe0.7.dr, AdobeARMHelper.exe.7.dr, unpack200.exe.0.dr, Uninstall.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: OcPubMgr.exe.7.dr	String found in binary or memory: http://xml.org/sax/properties/lexical-handlerhttp://xml.org/sax/features/namespace-prefixeshttp://xm
Source: pwahelper.exe.7.dr, identity_helper.exe.0.dr, pwahelper.exe0.7.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: pwahelper.exe.7.dr, identity_helper.exe.0.dr, pwahelper.exe0.7.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: uvkTKBif.exe, 00000002.00000002.3310982399.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: Uninstall.exe.0.dr	String found in binary or memory: https://mozilla.org0/
Source: integrator.exe.7.dr	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: integrator.exe.7.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: Aut2exe.exe.7.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Uninstall.exe.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Aut2exe.exe.7.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ramnit

Source: Yara match	File source: 4.2.DesktopLayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DesktopLayer.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DesktopLayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2047853106.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2055030585.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 3712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 3176, type: MEMORYSTR

Source: integrator.exe.7.dr

Binary or memory string: RegisterRawInputDevices

memstr_9e4a0018-5

E-Banking Fraud

Yara detected Ramnit

Source: Yara match	File source: 4.2.DesktopLayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DesktopLayer.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DesktopLayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2047853106.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2055030585.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 3712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 3176, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.0.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Ramnit malware Author: Florian Roth
Source: 4.0.DesktopLayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Ramnit malware Author: Florian Roth

PE file contains section with special chars

Source: MyProg.exe.2.dr

Static PE information: section name: Y|uR

PE file has a writeable .text section

Source: uvkTKBif.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 1_3_00541457 NtFreeVirtualMemory,	1_3_00541457
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 1_3_00540814 NtProtectVirtualMemory,	1_3_00540814
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 1_3_00540335 NtAllocateVirtualMemory,	1_3_00540335
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 1_3_005404CC NtQuerySystemInformation,	1_3_005404CC
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 1_3_00543519 NtQuerySystemInformation,	1_3_00543519
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 1_3_005427A0 NtAllocateVirtualMemory,	1_3_005427A0
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 1_2_00542740 NtFreeVirtualMemory,	1_2_00542740
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 1_2_00543519 NtQuerySystemInformation,	1_2_00543519
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 1_2_005427A0 NtAllocateVirtualMemory,	1_2_005427A0
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 4_3_004B1457 NtFreeVirtualMemory,	4_3_004B1457
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 4_3_004B0814 NtProtectVirtualMemory,	4_3_004B0814
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 4_3_004B0335 NtAllocateVirtualMemory,	4_3_004B0335
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 4_3_004B04CC NtQuerySystemInformation,	4_3_004B04CC
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 4_3_004B3519 NtQuerySystemInformation,	4_3_004B3519
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 4_3_004B27A0 NtAllocateVirtualMemory,	4_3_004B27A0
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 4_2_004019D4 NtQueryInformationProcess,	4_2_004019D4
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 4_2_004B2740 NtFreeVirtualMemory,	4_2_004B2740
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 4_2_004B3519 NtQuerySystemInformation,	4_2_004B3519
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 4_2_004B27A0 NtAllocateVirtualMemory,	4_2_004B27A0

Source: C:\Windows\svchost.com

File created: C:\Windows\directx.sys

Jump to behavior

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Windows\svchost.com			Jump to behavior
Source: C:\Windows\svchost.com	File created: C:\Windows\directx.sys			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Code function: 2_2_00786076		2_2_00786076
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Code function: 2_2_00786D00		2_2_00786D00

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\AutoIt3\Au3Info.exe 55075BDACF914AF03AD6CD417AFFC3A604A73AFD3D06A2256A1835CBF0F39B5E

Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 1556

Source: MyProg.exe.2.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000001.00000000.2041901330.000000000042D000.00000008.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamenedwp.exe0 vs #U65b0#U7248#U7f51#U5173Srv.exe
Source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000001.00000003.2046926889.0000000000717000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenedwp.exe0 vs #U65b0#U7248#U7f51#U5173Srv.exe
Source: #U65b0#U7248#U7f51#U5173Srv.exe	Binary or memory string: OriginalFilenamenedwp.exe0 vs #U65b0#U7248#U7f51#U5173Srv.exe
Source: #U65b0#U7248#U7f51#U5173Srv.exe.0.dr	Binary or memory string: OriginalFilenamenedwp.exe0 vs #U65b0#U7248#U7f51#U5173Srv.exe

Source: #U65b0#U7248#U7f51#U5173Srv.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 1.0.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Ramnit_May19_1 date = 2019-05-31, hash1 = d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3, author = Florian Roth, description = Detects Ramnit malware, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 4.0.DesktopLayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Ramnit_May19_1 date = 2019-05-31, hash1 = d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3, author = Florian Roth, description = Detects Ramnit malware, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/

Source: uvkTKBif.exe.1.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: uvkTKBif.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: uvkTKBif.exe.1.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: MpCmdRun.exe0.0.dr

Binary string: IdImageFileNameFirst Resource TypeTypeScan SourceFirst Resource PathEngineIdResource CountReasonProcessMessagePIDStartStopDataIsSignedFile\Device\\\?\\FI_UNKNOWN\drivers\error: invalid data: System Windows path changed during the trace from "%ls" to "%ls"

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@53/262@9/4

Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe

Code function: 2_2_0078119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

2_2_0078119F

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe

Code function: 1_2_004027E0 GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,

1_2_004027E0

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe

File created: C:\Program Files (x86)\Microsoft\pxA603.tmp

Jump to behavior

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5144
Source: C:\Windows\svchost.com	Mutant created: \Sessions\1\BaseNamedObjects\MutexPolesskayaGlush. svchost.com n X . t N t h ` T 5 @
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Mutant created: \Sessions\1\BaseNamedObjects\KyUffThOkYwRRtgPP

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe

File created: C:\Users\user\AppData\Local\Temp\3582-490

Jump to behavior

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: integrator.exe.7.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: integrator.exe.7.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: integrator.exe.7.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: integrator.exe.7.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: #U65b0#U7248#U7f51#U5173Srv.exe	ReversingLabs: Detection: 97%
Source: #U65b0#U7248#U7f51#U5173Srv.exe	Virustotal: Detection: 87%

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe

File read: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe "C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe"
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe "C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe"
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Process created: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe C:\Users\user\AppData\Local\Temp\uvkTKBif.exe
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Process created: C:\Program Files (x86)\Microsoft\DesktopLayer.exe "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6672 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1047a
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe --from-ie-to-edge=3 --ie-frame-hwnd=1047a
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe -new
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1047a
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=1047a
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=2124,i,13587844842802440522,10807369144858660475,262144 /prefetch:3
Source: unknown	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1047a --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=1047a --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2844 --field-trial-handle=2632,i,6985036185838690149,17869082300210821923,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5764 --field-trial-handle=2632,i,6985036185838690149,17869082300210821923,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 1556
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe "C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Process created: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Process created: C:\Program Files (x86)\Microsoft\DesktopLayer.exe "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6672 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1047a	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new	Jump to behavior
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe --from-ie-to-edge=3 --ie-frame-hwnd=1047a	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1047a
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe -new
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=1047a
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=2124,i,13587844842802440522,10807369144858660475,262144 /prefetch:3
Source: C:\Windows\svchost.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=1047a --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2844 --field-trial-handle=2632,i,6985036185838690149,17869082300210821923,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5764 --field-trial-handle=2632,i,6985036185838690149,17869082300210821923,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\svchost.com	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\svchost.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\svchost.com	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: uxtheme.dll
Source: C:\Windows\svchost.com	Section loaded: uxtheme.dll
Source: C:\Windows\svchost.com	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.7.dr, pwahelper.exe0.7.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdb source: cookie_exporter.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb@@4 source: jp2launcher.exe.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\selfcert.pdb source: SELFCERT.EXE.7.dr
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*`r source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051117990.000000000210C000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051185492.0000000002116000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051117990.000000000210C000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051185492.0000000002116000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\delivery\x-none\ose.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OSE.EXE.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\iecontentservice.pdbb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: IEContentService.exe.7.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\SpreadsheetCompare.pdb source: SPREADSHEETCOMPARE.EXE.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.7.dr
Source:	Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb# source: aimgr.exe.0.dr
Source:	Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdateOnDemand.exe.7.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
Source:	Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdb source: MicrosoftEdgeComRegisterShellARM64.exe.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051117990.000000000210C000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051138210.0000000002115000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051185492.0000000002116000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.7.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.7.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb00 source: unpack200.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb source: OcPubMgr.exe.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
Source:	Binary string: r.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: WINLOA~1.PDB source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051117990.000000000210C000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051138210.0000000002115000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051185492.0000000002116000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb source: jp2launcher.exe.7.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.7.dr
Source:	Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\onenote.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: ONENOTE.EXE.7.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\aimgr.pdb source: aimgr.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\cookie_exporter.exe.pdbOGP source: cookie_exporter.exe.0.dr
Source:	Binary string: AppVDllSurrogate32.pdb source: AppVDllSurrogate32.exe.7.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\delivery\x-none\ose.pdb source: OSE.EXE.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\selfcert.pdbT.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SELFCERT.EXE.7.dr
Source:	Binary string: MicrosoftEdgeComRegisterShellARM64_unsigned.pdbh source: MicrosoftEdgeComRegisterShellARM64.exe.7.dr
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe0.0.dr
Source:	Binary string: GoogleUpdateBroker_unsigned.pdb source: GoogleUpdateBroker.exe.7.dr
Source:	Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: AppVlp.pdb source: AppVLP.exe.7.dr
Source:	Binary string: @ntkrnlmp.pdb source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051117990.000000000210C000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb source: LICLUA.EXE.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\onenote.pdb source: ONENOTE.EXE.7.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb+ source: ai.exe.7.dr
Source:	Binary string: @winload_prod.pdbj source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051117990.000000000210C000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051138210.0000000002115000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051185492.0000000002116000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
Source:	Binary string: AppVDllSurrogate32.pdbGCTL source: AppVDllSurrogate32.exe.7.dr
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe0.0.dr
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.7.dr
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\. source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051117990.000000000210C000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051185492.0000000002116000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb8 source: javaws.exe0.7.dr
Source:	Binary string: @winload_prod.pdb source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051117990.000000000210C000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051138210.0000000002115000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051185492.0000000002116000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb source: WINWORD.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\winword.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: WINWORD.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\iecontentservice.pdb source: IEContentService.exe.7.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb source: ai.exe.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OcPubMgr.exe.7.dr
Source:	Binary string: lper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: LICLUA.EXE.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
Source:	Binary string: T.pdb source: SELFCERT.EXE.7.dr
Source:	Binary string: in32.pdb source: officeappguardwin32.exe.7.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.7.dr, pwahelper.exe0.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.7.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.7.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb source: javaws.exe0.7.dr
Source:	Binary string: AppVlp.pdbGCTL source: AppVLP.exe.7.dr
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\.xs source: #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051117990.000000000210C000.00000004.00001000.00020000.00000000.sdmp, #U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000003.2051185492.0000000002116000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe

Unpacked PE file: 2.2.uvkTKBif.exe.780000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .aspack

Source: uvkTKBif.exe.1.dr	Static PE information: section name: .aspack
Source: uvkTKBif.exe.1.dr	Static PE information: section name: .adata
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.2.dr	Static PE information: section name: PELIB
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 1_3_0054067A push eax; ret	1_3_005422AF
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 1_3_0054178F push eax; ret	1_3_005422AF
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 1_2_0054178F push eax; ret	1_2_005422AF
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Code function: 2_2_00786076 push 007814E1h; ret	2_2_00786425
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Code function: 2_2_00781638 push dword ptr [00783084h]; ret	2_2_0078170E
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Code function: 2_2_00782D9B push ecx; ret	2_2_00782DAB
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Code function: 2_2_0078600A push ebp; ret	2_2_0078600D
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 4_3_004B067A push eax; ret	4_3_004B22AF
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 4_3_004B178F push eax; ret	4_3_004B22AF
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 4_2_004B178F push eax; ret	4_2_004B22AF

Source: uvkTKBif.exe.1.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ entropy: 6.934567409269151
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR entropy: 6.9346651958510295

Persistence and Installation Behavior

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2836381813.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 6544, type: MEMORYSTR

Yara detected Ramnit

Source: Yara match	File source: 4.2.DesktopLayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DesktopLayer.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DesktopLayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2047853106.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2055030585.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 3712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 3176, type: MEMORYSTR

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\svchost.com	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

Executable created and started: C:\Windows\svchost.com

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Windows\svchost.com

File created: C:\Windows\directx.sys

Jump to behavior

Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Boot Survival

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2836381813.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 6544, type: MEMORYSTR

Yara detected Ramnit

Source: Yara match	File source: 4.2.DesktopLayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DesktopLayer.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DesktopLayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2047853106.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2055030585.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 3712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 3176, type: MEMORYSTR

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Yara detected Ramnit

Source: Yara match	File source: 4.2.DesktopLayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DesktopLayer.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DesktopLayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2047853106.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2055030585.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 3712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 3176, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe

Code function: 1_2_00401848 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00401848

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_4-4316

Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_2-1171

Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_2-912

Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess

graph_4-4300

Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_4-4341
Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_1-4345

Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe

Code function: 2_2_00781718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00781754h

2_2_00781718

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	Code function: 1_2_004011DF FindFirstFileA,FindClose,	1_2_004011DF
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	Code function: 2_2_007829E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	2_2_007829E2
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	Code function: 4_2_004011DF FindFirstFileA,FindClose,	4_2_004011DF

Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe

Code function: 2_2_00782B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00782B8C

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File opened: C:\Documents and Settings\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior

Source: Amcache.hve.22.dr	Binary or memory string: VMware
Source: Web Data.16.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Web Data.16.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Web Data.16.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.22.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: uvkTKBif.exe, 00000002.00000002.3310982399.0000000000D02000.00000004.00000020.00020000.00000000.sdmp, uvkTKBif.exe, 00000002.00000002.3310982399.0000000000CDB000.00000004.00000020.00020000.00000000.sdmp, uvkTKBif.exe, 00000002.00000002.3310982399.0000000000D3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Web Data.16.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.22.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Web Data.16.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.22.dr	Binary or memory string: vmci.sys
Source: Web Data.16.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Web Data.16.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Web Data.16.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Web Data.16.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Web Data.16.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.22.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.22.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.22.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.22.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.22.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Web Data.16.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.22.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.22.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.22.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.22.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.22.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Web Data.16.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Amcache.hve.22.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Web Data.16.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Web Data.16.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.22.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.22.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.22.dr	Binary or memory string: VMware, Inc.
Source: Web Data.16.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.22.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.22.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.22.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Web Data.16.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.22.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Web Data.16.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Web Data.16.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Web Data.16.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Amcache.hve.22.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Web Data.16.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Web Data.16.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Web Data.16.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Amcache.hve.22.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Web Data.16.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Web Data.16.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Web Data.16.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Web Data.16.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Web Data.16.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.22.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.22.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.22.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Web Data.16.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.22.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Web Data.16.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Web Data.16.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.22.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Web Data.16.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe	API call chain: ExitProcess graph end node	graph_1-4276
Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe	API call chain: ExitProcess graph end node	graph_2-887
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	API call chain: ExitProcess graph end node	graph_4-4418
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	API call chain: ExitProcess graph end node	graph_4-4434
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	API call chain: ExitProcess graph end node	graph_4-4287
Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe	API call chain: ExitProcess graph end node	graph_4-4377

Source: C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe "C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe"			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1047a

Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe

Code function: 2_2_00781718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,

2_2_00781718

Source: C:\Users\user\AppData\Local\Temp\uvkTKBif.exe

Code function: 2_2_0078139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

2_2_0078139F

Source: Amcache.hve.22.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.22.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.22.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.22.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: uvkTKBif.exe PID: 5144, type: MEMORYSTR

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2836381813.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 6544, type: MEMORYSTR

Yara detected Ramnit

Source: Yara match	File source: 4.2.DesktopLayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DesktopLayer.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DesktopLayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2047853106.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2055030585.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 3712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 3176, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: uvkTKBif.exe PID: 5144, type: MEMORYSTR

Yara detected Ramnit

Source: Yara match	File source: 4.2.DesktopLayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DesktopLayer.exe.404031.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DesktopLayer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.#U65b0#U7248#U7f51#U5173Srv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2047853106.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2055030585.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U65b0#U7248#U7f51#U5173Srv.exe PID: 3712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DesktopLayer.exe PID: 3176, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	12 Native API	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	11 Input Capture	11 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 Windows Service	1 Access Token Manipulation	12 Software Packing	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	11 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Windows Service	1 DLL Side-Loading	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Process Injection	322 Masquerading	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	LSA Secrets	111 Security Software Discovery	SSH	Keylogging	2 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Process Injection	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#U65b0#U7248#U7f51#U5173Srv.exe	97%	ReversingLabs	Win32.Virus.Neshuta
#U65b0#U7248#U7f51#U5173Srv.exe	88%	Virustotal		Browse
#U65b0#U7248#U7f51#U5173Srv.exe	100%	Avira	W32/Delf.I
#U65b0#U7248#U7f51#U5173Srv.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Uninstall.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	94%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\Uninstall.exe	97%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	100%	ReversingLabs	Win32.Virus.Neshuta

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ddos.dnsnb8.net	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://ddos.dnsnb8.net:799/cj//k1.raros	100%	Avira URL Cloud	malware
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rar%p	100%	Avira URL Cloud	malware
http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service	0%	Avira URL Cloud	safe
http://xml.org/sax/properties/lexical-handlerhttp://xml.org/sax/features/namespace-prefixeshttp://xm	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfR	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net/	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	Avira URL Cloud	malware
http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service	0%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k1.rar%p	11%	Virustotal		Browse
http://%s/r/rlidVBASelfCert?clid=%d1.3.6.1.5.5.7.3.32.5.29.372.5.29.11.2.840.113549.1.1.5SelfSignedC	0%	Avira URL Cloud	safe
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
chrome.cloudflare-dns.com	172.64.41.3	true	false		high
ddos.dnsnb8.net	44.221.84.105	true	false	8%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://tempuri.org/IRoamingSettingsService/WriteSettings	officeappguardwin32.exe.7.dr	false		high
http://ddos.dnsnb8.net:799/cj//k1.rar%p	uvkTKBif.exe, 00000002.00000002.3311455745.000000000289A000.00000004.00000010.00020000.00000000.sdmp	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://mozilla.org0/	Uninstall.exe.0.dr	false		high
http://ddos.dnsnb8.net:799/cj//k1.raros	uvkTKBif.exe, 00000002.00000002.3310982399.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service	officeappguardwin32.exe.7.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/DataSet1.xsd	SPREADSHEETCOMPARE.EXE.7.dr	false		high
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	uvkTKBif.exe, 00000002.00000002.3310500480.0000000000783000.00000002.00000001.01000000.00000006.sdmp, uvkTKBif.exe, 00000002.00000003.2043995962.00000000007F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	officeappguardwin32.exe.7.dr	false		high
http://upx.sf.net	Amcache.hve.22.dr	false		high
http://tempuri.org/IRoamingSettingsService/DisableUserResponse	officeappguardwin32.exe.7.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	#U65b0#U7248#U7f51#U5173Srv.exe, 00000000.00000002.2836301122.0000000000190000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.7.dr, Uninstall.exe.0.dr	false		high
http://www.autoitscript.com/autoit3/	Aut2exe.exe.7.dr	false		high
https://www.autoitscript.com/autoit3/	Aut2exe.exe.7.dr	false		high
http://xml.org/sax/properties/lexical-handlerhttp://xml.org/sax/features/namespace-prefixeshttp://xm	OcPubMgr.exe.7.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IRoamingSettingsService/WriteSettingsResponse	officeappguardwin32.exe.7.dr	false		high
http://tempuri.org/IRoamingSettingsService/ReadSettings	officeappguardwin32.exe.7.dr	false		high
http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfR	officeappguardwin32.exe.7.dr	false	Avira URL Cloud: safe	unknown
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith	pwahelper.exe.7.dr, identity_helper.exe.0.dr, pwahelper.exe0.7.dr	false		high
http://tempuri.org/IRoamingSettingsService/GetConfig	officeappguardwin32.exe.7.dr	false		high
http://tempuri.org/IRoamingSettingsService/GetConfigResponse	officeappguardwin32.exe.7.dr	false		high
http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/R	officeappguardwin32.exe.7.dr	false		high
http://ddos.dnsnb8.net/	uvkTKBif.exe, 00000002.00000002.3310982399.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://tempuri.org/IRoamingSettingsService/DisableUser	officeappguardwin32.exe.7.dr	false		high
http://ddos.dnsnb8.net:799/cj//k1.rar	uvkTKBif.exe, 00000002.00000002.3310982399.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, uvkTKBif.exe, 00000002.00000002.3310982399.0000000000D2B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://%s/r/rlidVBASelfCert?clid=%d1.3.6.1.5.5.7.3.32.5.29.372.5.29.11.2.840.113549.1.1.5SelfSignedC	SELFCERT.EXE.7.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IRoamingSettingsService/ReadSettingsResponse	officeappguardwin32.exe.7.dr	false		high
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	integrator.exe.7.dr	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/8	Aut2exe.exe.7.dr	false		high
http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects	officeappguardwin32.exe.7.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IRoamingSettingsService/EnableUser	officeappguardwin32.exe.7.dr	false		high
http://tempuri.org/IRoamingSettingsService/EnableUserResponse	officeappguardwin32.exe.7.dr	false		high
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff	pwahelper.exe.7.dr, identity_helper.exe.0.dr, pwahelper.exe0.7.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
44.221.84.105	ddos.dnsnb8.net	United States	14618	AMAZON-AESUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558247
Start date and time:	2024-11-19 09:05:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	#U65b0#U7248#U7f51#U5173Srv.exe renamed because original name is a hash value
Original Sample Name:	Srv.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@53/262@9/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 51 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.89.167, 2.23.209.177, 2.23.209.180, 2.23.209.181, 2.23.209.171, 2.23.209.175, 2.23.209.179, 2.23.209.167, 2.23.209.173, 2.23.209.168, 13.107.42.16, 13.107.21.239, 204.79.197.239, 142.250.186.174, 204.79.197.200, 142.250.185.206
Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, e11290.dspg.akamaiedge.net, go.microsoft.com, e86303.dscx.akamaiedge.net, clients2.google.com, ocsp.digicert.com, www.bing.com.edgekey.net, login.live.com, config-edge-skype.l-0007.l-msedge.net, l-0007.l-msedge.net, ieonline.microsoft.com, config.edge.skype.com, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, edge.microsoft.com, any.edge.bing.com, l-0007.config.skype.com, go.microsoft.com.edgekey.net, clients.l.google.com, dual-a-0036.a-msedge.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.61.3	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	FRSSDE.exe	Get hash	malicious	Remcos	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	Unlock_Tool_v2.6.5.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
239.255.255.250	https://192381.clicks.goto-9.net/track/click?u=3634028&p=3139323338313a323a323a303a303a30&s=9805e720a8572b6bbbb06f2979714af5&m=5819	Get hash	malicious	Unknown	Browse
	https://blacksaltys.com	Get hash	malicious	Unknown	Browse
	https://packedbrick.com	Get hash	malicious	Unknown	Browse
	https://recociese.za.com/wpcones/excel.html	Get hash	malicious	Unknown	Browse
	https://sp792669.sitebeat.crazydomains.com	Get hash	malicious	Unknown	Browse
	NTS_eTaxInvoice.html	Get hash	malicious	Unknown	Browse
	https://gmailnliz19.ebtrk3.com/openurl?lid=5808098873966592&nid=4863316211269632&c=&s=&ci=&e_id=	Get hash	malicious	Unknown	Browse
	https://fixedzip.oss-ap-southeast-5.aliyuncs.com/replace.txt	Get hash	malicious	Unknown	Browse
	http://178.215.224.252/v10/ukyh.php	Get hash	malicious	Unknown	Browse
	http://185.147.124.40/Capcha.html	Get hash	malicious	Unknown	Browse
44.221.84.105	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	hehckyov.biz/of
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	hehckyov.biz/sdgvcmfo
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	gahyhiz.com/login.php
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	vocyzit.com/login.php
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	vocyzit.com/login.php
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	gadyciz.com/login.php
	arxtPs1STE.exe	Get hash	malicious	Simda Stealer	Browse	vocyzit.com/login.php
	Z8eHwAvqAh.exe	Get hash	malicious	Simda Stealer	Browse	gahyhiz.com/login.php
	WlCVLbzNph.exe	Get hash	malicious	Simda Stealer	Browse	gadyciz.com/login.php
	Bpfz752pYZ.exe	Get hash	malicious	Simda Stealer	Browse	vocyzit.com/login.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	FRSSDE.exe	Get hash	malicious	Remcos	Browse	172.64.41.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	Unlock_Tool_v2.6.5.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
ddos.dnsnb8.net	gE4NVCZDRk.exe	Get hash	malicious	Bdaejec, RunningRAT	Browse	44.221.84.105
	ib.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	1hdqYXYJkr.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(193).exe	Get hash	malicious	Bdaejec, Stealc	Browse	44.221.84.105
	BUG32.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(212).exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(216).exe.dll	Get hash	malicious	Bdaejec, Sality	Browse	44.221.84.105
	A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105
	BUG32.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.81.208
	https://gmailnliz19.ebtrk3.com/openurl?lid=5808098873966592&nid=4863316211269632&c=&s=&ci=&e_id=	Get hash	malicious	Unknown	Browse	104.21.92.214
	Swift copy.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.188.199
	https://fixedzip.oss-ap-southeast-5.aliyuncs.com/replace.txt	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	104.21.85.146
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.188.199
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.81.208
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.81.208
	https://gmailnliz19.ebtrk3.com/openurl?lid=5808098873966592&nid=4863316211269632&c=&s=&ci=&e_id=	Get hash	malicious	Unknown	Browse	104.21.92.214
	Swift copy.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.188.199
	https://fixedzip.oss-ap-southeast-5.aliyuncs.com/replace.txt	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	104.21.85.146
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.188.199
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.81.208
AMAZON-AESUS	owari.mips.elf	Get hash	malicious	Unknown	Browse	44.194.145.154
	owari.sh4.elf	Get hash	malicious	Unknown	Browse	34.234.216.71
	owari.mpsl.elf	Get hash	malicious	Unknown	Browse	54.139.242.167
	owari.x86.elf	Get hash	malicious	Unknown	Browse	18.232.119.218
	mips.elf	Get hash	malicious	Mirai	Browse	54.10.208.229
	https://uymtnxoiutrbebdxcfngvhbjnklijuygtfbrdxevfcgvhbjn.b-cdn.net/updatinggeneral004/index.html?b=Y3VzdG9tZXJzZXJ2aWNldGVhbUB3YWl0cm9zZS5jby51aw==	Get hash	malicious	Unknown	Browse	54.221.78.146
	https://uymtnxoiutrbebdxcfngvhbjnklijuygtfbrdxevfcgvhbjn.b-cdn.net/updatinggeneral004/index.html?b=Y3VzdG9tZXJzZXJ2aWNldGVhbUB3YWl0cm9zZS5jby51aw==	Get hash	malicious	Unknown	Browse	54.221.78.146
	phish_alert_sp1_1.0.0.0(1).eml	Get hash	malicious	KnowBe4	Browse	3.221.71.218
	phish_alert_sp1_1.0.0.0.eml	Get hash	malicious	Unknown	Browse	52.6.56.188
	900092839283982.exe	Get hash	malicious	DBatLoader, VIP Keylogger	Browse	3.5.8.191

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\AutoIt3\Au3Info.exe	OXrZ6fj4Hq.exe	Get hash	malicious	Neshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWorm	Browse
	svchost.exe	Get hash	malicious	Neshta, XWorm	Browse
	Botkiller.exe	Get hash	malicious	Neshta, Njrat	Browse
	dump.exe	Get hash	malicious	Neshta	Browse
	ORDER_SL.EXE.exe	Get hash	malicious	AgentTesla, Neshta	Browse
	Build.exe	Get hash	malicious	DBatLoader, Neshta	Browse
	F.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse
	x.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse
	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	317032
Entropy (8bit):	6.278820844715542
Encrypted:	false
SSDEEP:	3072:zr8WDrCoP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0BwOvO9:Puo4VQjVsxyItKQNhigibKCZu
MD5:	0D2813B412DFC381FF2FF8AE35AFBEC3
SHA1:	DC29CD8FC69EDDFDA98FE67B6103EC23EF137888
SHA-256:	9DA09CF18EACF9E99235F4754C9B66C45B74EBC1749D1CEDB80E495DD89C1912
SHA-512:	7619BBAC7D5043109B82A1806414DE9DC162C6C430A9EE23C136627BA2130BEC6930ACB4E613FEA425A22BA48C0E811E98B69C26E041F4337664E27A4BE674E0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

Process:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	237160
Entropy (8bit):	6.436536629191244
Encrypted:	false
SSDEEP:	3072:zr8WDrCIyRnuBGwl/1Gc9QnvGqyWQ93kr/yh5DEU/P5kP0zU35iuvQBUeGMLu:Pu7l3wdYtcH9b5Y651zU77Ea
MD5:	80D5957764641A059A246ACC3B876FD8
SHA1:	379F4A825CF3B9EA2CBF96D0AFAA6F5192BE25A0
SHA-256:	B904C8888CD019FAD590E1135E917D944BC16340757BC90DDD3511359766B8BB
SHA-512:	4FE0AECD7F5B44FA5AC52165C566EEE57145AAA2AF59FBB449B7629511C3A727F09E3A91082DE7845490329619C90CA4ACAF4094CFD7888A97B7FBE1F70A7EAB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\uvkTKBif.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.590898048910712
Encrypted:	false
SSDEEP:	384:1FJS9XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:8TQGPL4vzZq2o9W7GsxBbPr
MD5:	85F4B592EC788F76EEB4D2C1000B1348
SHA1:	5F19C8A02A587D64376CA28E102E1B4AA2CE1972
SHA-256:	6084A3F6872A59D65E4B22BC59FF40D63F2B5B8EA1EF1D98592B80EB9824240E
SHA-512:	B7909966F8A918FF10DCA9B6D07BF298962B8151679CECBBCEDAD6DD53F2DAF7CD30490B826F151F933C5E481149D872D12E1DAFA79DC0BA108B8C8A756297D7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

Process:	C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	7.30033888451297
Encrypted:	false
SSDEEP:	1536:yxqjQ+P04wsZLnDrC5MXL5uXZnzEDjGCq2iW7zef+hzRsibKplyXTq8OGRnsPFGj:zr8WDrCawnYvGCHymROzoTq0+RO7N
MD5:	64956BF404C5ABAD670A958C45ECE564
SHA1:	2C071527C691EB001777ABAAD5B9D5C7CA7C1B53
SHA-256:	90DD057AC1BDEC6B27174681B857AF28E2DDD05F84B7536EECD28CF6CC1A1189
SHA-512:	F636CA0287BF8778D2ED575E4971BA9B158A3636BA6A44B78F4F6978B3CC6ED1575D1878928458D2AF00811E30429EB36DDA49B8570CF8449FE97A8DD9032BB9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Nov 19 08:06:11 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	150850
Entropy (8bit):	1.8135782318141924
Encrypted:	false
SSDEEP:	768:sHTuBVt5ea3WpmgOyvWiWVYE3Y5ptBBZ1B8jw:IcDVYE3Y5ptBBZ1B8jw
MD5:	F3B91A8B4DD44AD233E88066BAEFB55C
SHA1:	107CE4764C2C4AEC9715D47F46DF44F243DAA028
SHA-256:	FDC2ECFF57B8F679EA448577B629C25A67A9E7BD058E159BAA95827AD849F963
SHA-512:	41FB14E78EDC512C55760425C15C512F31DF73A0598E3335A87AD3CEB0B185DE23C81D679DFD56674963DD10CC68593F53B3C71501EDB3D7CE0E958F1C1CA5F1
Malicious:	false
Preview:	MDMP..a..... ........F<g............D...............L.......4...nI..........T.......8...........T............7..............$...........................................................................................eJ..............GenuineIntel............T............F<g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44652
Entropy (8bit):	6.095665003210589
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBvwuDhDO6vP6OmpntTkXEDzVH7cGoup1Xl3jVzXr2:z/Ps+wsI7yOE66Glt/chu3VlXr4CRo1
MD5:	272BE1B0A4611A41831F14ECE5B90824
SHA1:	4D2302AE0B9F960965B267F5ACF12B22BB5D59BF
SHA-256:	5C4539AF84B50153AE2A67C2D2CC5765E76CA58010A489F8368D1838331F2350
SHA-512:	DB59C9814EA03AC0F53D2A4D927629197595985EF7B86F3F31990499884A49A5A6F39E2981F838583E908146BC28E102E22999E65B987A2424053499892FFD58
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	2.0417623231498006
Encrypted:	false
SSDEEP:	24:rYGo/QxlFlGW/llFOlF8ZlF69lW8v/9lW8:rYGo4bGWph8v+8
MD5:	4C5CAD319F364F09A8910349C99BE3BE
SHA1:	F3D5FF7533D5EF460EC114622F005B88C766FC2E
SHA-256:	58DA28F260F75B0363D81C4E6E231FA6CD16F8F72D01510373ED13BD44F9C0F2
SHA-512:	F57A4C2467315CCE48E83D47957E070996C3E8755DB4DB090C7ABA77F3C753A6EF5BCDBE25BC52823E2C9529954A15520B1ED252240F7A8F735D37CB8FF94E57
Malicious:	false
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................P...Y:................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t.......................................................................................................0.......O._.T.S.8.2.X.f.G.0.2.m.7.x.G.M.L.O.z.0.u.1.c.N.y.Q.=.=.........:.......................................

Entrypoint:	0x408178
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9f4693fc0c511135129493f2161d1e86

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15000	0x864	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19000	0x1400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18000	0x5cc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x17000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x72c0	0x7400	57df3a5615ac3f00c33b7f1f6f46d36a	False	0.6197804418103449	data	6.521149320889011	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x9000	0x218	0x400	7ffc3168a7f3103634abdf3a768ed128	False	0.3623046875	data	3.1516983405583385	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xa000	0xa899	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x15000	0x864	0xa00	6e7a45521bfca94f1e506361f70e7261	False	0.37421875	data	4.173859768945439	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x16000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x17000	0x18	0x200	7e6c0f4f4435abc870eb550d5072bad6	False	0.05078125	data	0.2069200177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x18000	0x5cc	0x600	2f4536f51417a33d5e7cc1d66b1ca51e	False	0.8333333333333334	data	6.433117350337874	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x19000	0x1400	0x1400	722b5f3feef4e75a20d586ec261ad2b8	False	0.079296875	data	0.7297839655211668	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x19150	0x10a8	data	Russian	Russia	0.006332082551594747
RT_RCDATA	0x1a1f8	0x10	data			1.5
RT_RCDATA	0x1a208	0xac	data			1.063953488372093
RT_GROUP_ICON	0x1a2b4	0x14	data	Russian	Russia	1.1

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, MessageBoxA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	WriteFile, WinExec, SetFilePointer, SetFileAttributesA, SetEndOfFile, SetCurrentDirectoryA, ReleaseMutex, ReadFile, GetWindowsDirectoryA, GetTempPathA, GetShortPathNameA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocalTime, GetLastError, GetFileSize, GetFileAttributesA, GetDriveTypeA, GetCommandLineA, FreeLibrary, FindNextFileA, FindFirstFileA, FindClose, DeleteFileA, CreateMutexA, CreateFileA, CreateDirectoryA, CloseHandle
gdi32.dll	StretchDIBits, SetDIBits, SelectObject, GetObjectA, GetDIBits, DeleteObject, DeleteDC, CreateSolidBrush, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt
user32.dll	ReleaseDC, GetSysColor, GetIconInfo, GetDC, FillRect, DestroyIcon, CopyImage, CharLowerBuffA
shell32.dll	ShellExecuteA, ExtractIconA

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 09:05:59.317081928 CET	54167	53	192.168.2.5	1.1.1.1
Nov 19, 2024 09:05:59.412637949 CET	53	54167	1.1.1.1	192.168.2.5
Nov 19, 2024 09:06:13.605210066 CET	57498	53	192.168.2.5	1.1.1.1
Nov 19, 2024 09:06:13.605429888 CET	53230	53	192.168.2.5	1.1.1.1
Nov 19, 2024 09:06:13.606415987 CET	59980	53	192.168.2.5	1.1.1.1
Nov 19, 2024 09:06:13.606950045 CET	58430	53	192.168.2.5	1.1.1.1
Nov 19, 2024 09:06:13.612049103 CET	53	57498	1.1.1.1	192.168.2.5
Nov 19, 2024 09:06:13.612385035 CET	53	53230	1.1.1.1	192.168.2.5
Nov 19, 2024 09:06:13.613157034 CET	53	59980	1.1.1.1	192.168.2.5
Nov 19, 2024 09:06:13.613805056 CET	53	58430	1.1.1.1	192.168.2.5
Nov 19, 2024 09:06:13.733297110 CET	59611	53	192.168.2.5	1.1.1.1
Nov 19, 2024 09:06:13.733360052 CET	58178	53	192.168.2.5	1.1.1.1
Nov 19, 2024 09:06:13.740242004 CET	53	59611	1.1.1.1	192.168.2.5
Nov 19, 2024 09:06:13.740300894 CET	53	58178	1.1.1.1	192.168.2.5
Nov 19, 2024 09:07:18.393840075 CET	59115	53	192.168.2.5	1.1.1.1
Nov 19, 2024 09:07:18.394035101 CET	65436	53	192.168.2.5	1.1.1.1
Nov 19, 2024 09:07:18.400805950 CET	53	59115	1.1.1.1	192.168.2.5
Nov 19, 2024 09:07:18.401705027 CET	53	65436	1.1.1.1	192.168.2.5

Target ID:	0
Start time:	03:05:57
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#U65b0#U7248#U7f51#U5173Srv.exe"
Imagebase:	0x400000
File size:	114'688 bytes
MD5 hash:	64956BF404C5ABAD670A958C45ECE564
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000000.00000002.2836381813.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	03:05:58
Start date:	19/11/2024
Path:	C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\3582-490\#U65b0#U7248#U7f51#U5173Srv.exe"
Imagebase:	0x400000
File size:	73'216 bytes
MD5 hash:	118210E9670E09029643A6866859CFF7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ramnit, Description: Yara detected Ramnit, Source: 00000001.00000002.2047853106.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	03:05:59
Start date:	19/11/2024
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Internet Explorer\iexplore.exe"
Imagebase:	0x7ff7919e0000
File size:	834'512 bytes
MD5 hash:	CFE2E6942AC1B72981B3105E22D3224E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	7
Start time:	03:06:01
Start date:	19/11/2024
Path:	C:\Windows\svchost.com
Wow64 process (32bit):	true
Commandline:	"C:\Windows\svchost.com" "C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\117020~1.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=1047a
Imagebase:	0x400000
File size:	41'472 bytes
MD5 hash:	2F50ACA08FFC461C86E8FB5BBEDDA142
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	12
Start time:	03:06:02
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe --from-ie-to-edge=3 --ie-frame-hwnd=1047a
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	03:06:04
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=2124,i,13587844842802440522,10807369144858660475,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	17
Start time:	03:06:06
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2844 --field-trial-handle=2632,i,6985036185838690149,17869082300210821923,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U65b0#U7248#U7f51#U5173Srv.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

C:\Program Files (x86)\AutoIt3\Au3Info.exe

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files (x86)\AutoIt3\Uninstall.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Windows Analysis Report
#U65b0#U7248#U7f51#U5173Srv.exe

Target ID:	21
Start time:	03:06:10
Start date:	19/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5764 --field-trial-handle=2632,i,6985036185838690149,17869082300210821923,262144 /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	28.7%
Total number of Nodes:	209
Total number of Limit Nodes:	8

Execution Coverage:	31.1%
Dynamic/Decrypted Code Coverage:	5%
Signature Coverage:	20.4%
Total number of Nodes:	279
Total number of Limit Nodes:	10

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	214
Total number of Limit Nodes:	7

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre