Edit tour

Windows Analysis Report
Plat#U0103 revizuit#U0103_shrunk.exe

Overview

General Information

Sample name:	Plat#U0103 revizuit#U0103_shrunk.exe renamed because original name is a hash value
Original sample name:	Plat revizuit_shrunk.exe
Analysis ID:	1518504
MD5:	8eca59816dc6007ae4a40dc09ac5b66f
SHA1:	7ab4088c162ad70f5456dacd1fe34150e22f9e0d
SHA256:	d4f4ad6ea2e448166edde53a24011ddc5c4e870f7c571f9dd5e390e582ca3d33
Tags:	exeuser-malrpt
Infos:

Detection

AgentTesla, Neshta

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Neshta

Yara detected Telegram RAT

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Creates an undocumented autostart registry key

Drops PE files with a suspicious file extension

Drops executable to a common third party application directory

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Infects executable files (exe, dll, sys, html)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Classes Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Plat#U0103 revizuit#U0103_shrunk.exe (PID: 3380 cmdline: "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe" MD5: 8ECA59816DC6007AE4A40DC09AC5B66F)

powershell.exe (PID: 5076 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6568 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKHPXKiqI.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 1088 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6500 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKHPXKiqI" /XML "C:\Users\user\AppData\Local\Temp\tmpAD6D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Plat#U0103 revizuit#U0103_shrunk.exe (PID: 5256 cmdline: "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe" MD5: 8ECA59816DC6007AE4A40DC09AC5B66F)

Plat#U0103 revizuit#U0103_shrunk.exe (PID: 4836 cmdline: "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe" MD5: 8ECA59816DC6007AE4A40DC09AC5B66F)

iKHPXKiqI.exe (PID: 3748 cmdline: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe MD5: 8ECA59816DC6007AE4A40DC09AC5B66F)

WerFault.exe (PID: 3192 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1748 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
neshta	Neshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."	No Attribution	https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html https://www.mandiant.com/resources/pe-file-infecting-malware-ot https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest https://www.virusradar.com/en/Win32_Neshta.A/description	https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7000875199:AAGcJDBHFcfVUBvhBO4xZLw34OXk1NWXSe0/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7000875199:AAGcJDBHFcfVUBvhBO4xZLw34OXk1NWXSe0/sendMessage?chat_id=-4166410344"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.2664611600.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
00000000.00000002.2202989415.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Plat#U0103 revizuit#U0103_shrunk.exe PID: 3380	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Plat#U0103 revizuit#U0103_shrunk.exe PID: 3380	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Plat#U0103 revizuit#U0103_shrunk.exe PID: 3380	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Plat#U0103 revizuit#U0103_shrunk.exe PID: 3380	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Plat#U0103 revizuit#U0103_shrunk.exe PID: 4836	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
Process Memory Space: iKHPXKiqI.exe PID: 3748	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.Plat#U0103 revizuit#U0103_shrunk.exe.400000.0.unpack	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
10.2.Plat#U0103 revizuit#U0103_shrunk.exe.400000.0.unpack	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
10.2.Plat#U0103 revizuit#U0103_shrunk.exe.400000.0.raw.unpack	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
10.2.Plat#U0103 revizuit#U0103_shrunk.exe.40a698.1.unpack	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xde48:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xdf10:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0xcf0ca:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xcf13c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xcf1c6:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xcf258:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xcf2c2:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xcf334:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xcf3ca:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xcf45a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack	MALWARE_Win_Neshta	Detects Neshta	ditekSHen	0xa5500:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus. 0xa55c8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe", ParentImage: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe, ParentProcessId: 3380, ParentProcessName: Plat#U0103 revizuit#U0103_shrunk.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe", ProcessId: 5076, ProcessName: powershell.exe

Sigma detected: Classes Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\svchost.com "%1" %*, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe, ProcessId: 4836, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKHPXKiqI" /XML "C:\Users\user\AppData\Local\Temp\tmpAD6D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKHPXKiqI" /XML "C:\Users\user\AppData\Local\Temp\tmpAD6D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe", ParentImage: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe, ParentProcessId: 3380, ParentProcessName: Plat#U0103 revizuit#U0103_shrunk.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKHPXKiqI" /XML "C:\Users\user\AppData\Local\Temp\tmpAD6D.tmp", ProcessId: 6500, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe", ParentImage: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe, ParentProcessId: 3380, ParentProcessName: Plat#U0103 revizuit#U0103_shrunk.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe", ProcessId: 5076, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKHPXKiqI" /XML "C:\Users\user\AppData\Local\Temp\tmpAD6D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKHPXKiqI" /XML "C:\Users\user\AppData\Local\Temp\tmpAD6D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe", ParentImage: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe, ParentProcessId: 3380, ParentProcessName: Plat#U0103 revizuit#U0103_shrunk.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKHPXKiqI" /XML "C:\Users\user\AppData\Local\Temp\tmpAD6D.tmp", ProcessId: 6500, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: powershell.exe.6568.5.memstrmin	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7000875199:AAGcJDBHFcfVUBvhBO4xZLw34OXk1NWXSe0/sendMessage?chat_id=-4166410344"}
Source: Plat#U0103 revizuit#U0103_shrunk.exe.3380.0.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7000875199:AAGcJDBHFcfVUBvhBO4xZLw34OXk1NWXSe0/sendMessage"}

Multi AV Scanner detection for submitted file

Source: Plat#U0103 revizuit#U0103_shrunk.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Plat#U0103 revizuit#U0103_shrunk.exe

Joe Sandbox ML: detected

Source: Plat#U0103 revizuit#U0103_shrunk.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Plat#U0103 revizuit#U0103_shrunk.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe1.10.dr, pwahelper.exe0.10.dr, pwahelper.exe.10.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb@@4 source: jp2launcher.exe.10.dr
Source:	Binary string: NisSrv.pdb source: NisSrv.exe0.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\selfcert.pdb source: SELFCERT.EXE.10.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WmQc.pdbs\WmQc.pdbpdbmQc.pdbg\WmQc.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2317304776.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: HP^o(C:\Windows\WmQc.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2317304776.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\SpreadsheetCompare.pdb source: SPREADSHEETCOMPARE.EXE.10.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\delivery\x-none\ose.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OSE.EXE.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.10.dr
Source:	Binary string: \??\C:\Windows\exe\WmQc.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdbOGP source: setup.exe.10.dr
Source:	Binary string: C:\Windows\WmQc.pdbpdbmQc.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !!.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2317304776.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: WmQc.pdb^1w^ source: iKHPXKiqI.exe, 0000000B.00000002.2317304776.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\graphics_filterloader\x-none\FLTLDR.pdb source: FLTLDR.EXE.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\namecontrolserver.pdb source: NAMECONTROLSERVER.EXE.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.10.dr
Source:	Binary string: WmQc.pdb21-2246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32EW source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbE source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @jo.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2317304776.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb} source: iKHPXKiqI.exe, 0000000B.00000002.2318435074.0000000001373000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ker.pdb source: OfficeScrBroker.exe.10.dr
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.10.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbZ source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: chrome.exe.10.dr
Source:	Binary string: WmQc.pdbSHA256 source: iKHPXKiqI.exe, 0000000B.00000002.2318435074.0000000001405000.00000004.00000020.00020000.00000000.sdmp, Plat#U0103 revizuit#U0103_shrunk.exe
Source:	Binary string: symbols\exe\WmQc.pdbjo source: iKHPXKiqI.exe, 0000000B.00000002.2317304776.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\iKHPXKiqI.PDB source: iKHPXKiqI.exe, 0000000B.00000002.2317304776.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: r.pdb source: AppSharingHookController.exe.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb source: OcPubMgr.exe.10.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dcf\x-none\FileCompare.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: filecompare.exe.10.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MsMpEng.pdbGCTL source: MsMpEng.exe0.10.dr, MsMpEng.exe.10.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb source: jp2launcher.exe.10.dr
Source:	Binary string: ?joC:\Users\user\AppData\Roaming\WmQc.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2317304776.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\WmQc.pdbe source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrbroker.pdbker.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OfficeScrBroker.exe.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\orgchart.pdb source: ORGCHART.EXE.10.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdb source: setup.exe.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\orgchart.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: ORGCHART.EXE.10.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbP source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\delivery\x-none\ose.pdb source: OSE.EXE.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\selfcert.pdbT.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SELFCERT.EXE.10.dr
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe1.10.dr, MpCmdRun.exe0.10.dr, MpCmdRun.exe2.10.dr
Source:	Binary string: \??\C:\Windows\WmQc.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.10.dr
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe1.10.dr, MpCmdRun.exe0.10.dr, MpCmdRun.exe2.10.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb.1D source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\perfboost.pdb source: PerfBoost.exe.10.dr
Source:	Binary string: MicrosoftEdgeUpdateCore_unsigned.pdbd source: MicrosoftEdgeUpdateCore.exe.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OcPubMgr.exe.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\iKHPXKiqI.PDB source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb source: ai.exe0.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SCANPST.EXE.10.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\graphics_filterloader\x-none\FLTLDR.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: FLTLDR.EXE.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.10.dr
Source:	Binary string: T.pdb source: SELFCERT.EXE.10.dr
Source:	Binary string: in32.pdb source: officeappguardwin32.exe.10.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe1.10.dr, pwahelper.exe0.10.dr, pwahelper.exe.10.dr
Source:	Binary string: WmQc.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp, iKHPXKiqI.exe, 0000000B.00000002.2318435074.0000000001405000.00000004.00000020.00020000.00000000.sdmp, iKHPXKiqI.exe, 0000000B.00000002.2317304776.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp, Plat#U0103 revizuit#U0103_shrunk.exe
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\WmQc.pdbj source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrbroker.pdb source: OfficeScrBroker.exe.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.10.dr
Source:	Binary string: MicrosoftEdgeUpdateCore_unsigned.pdb source: MicrosoftEdgeUpdateCore.exe.10.dr
Source:	Binary string: NisSrv.pdbGCTL source: NisSrv.exe0.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2318435074.0000000001373000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MsMpEng.pdb source: MsMpEng.exe0.10.dr, MsMpEng.exe.10.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb/ source: ai.exe0.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\perfboost.pdbb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: PerfBoost.exe.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\namecontrolserver.pdbb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: NAMECONTROLSERVER.EXE.10.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\WmQc.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb source: SCANPST.EXE.10.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dcf\x-none\FileCompare.pdb source: filecompare.exe.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\WmQc.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007AF5000.00000004.00000020.00020000.00000000.sdmp

Spreading

Yara detected Neshta

Source: Yara match	File source: 10.2.Plat#U0103 revizuit#U0103_shrunk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Plat#U0103 revizuit#U0103_shrunk.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2664611600.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2202989415.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Plat#U0103 revizuit#U0103_shrunk.exe PID: 4836, type: MEMORYSTR

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_00405080 FindFirstFileA,FindNextFileA,FindClose,	10_2_00405080
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_00405634 FindFirstFileA,FindNextFileA,FindClose,	10_2_00405634
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_00404F6C FindFirstFileA,FindClose,	10_2_00404F6C
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,	10_2_004056A7

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

Code function: 10_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,

10_2_00406D40

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match

File source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, type: UNPACKEDPE

Source: SELFCERT.EXE.10.dr	String found in binary or memory: http://%s/r/rlidVBASelfCert?clid=%d1.3.6.1.5.5.7.3.32.5.29.372.5.29.11.2.840.113549.1.1.5SelfSignedC
Source: jp2launcher.exe.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: jp2launcher.exe.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: jp2launcher.exe.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: jp2launcher.exe.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: NisSrv.exe0.10.dr	String found in binary or memory: http://canonicalizer.ucsuri.tcs/68007400740070003a002f002f00https://F
Source: Aut2exe.exe.10.dr, AutoIt3_x64.exe.10.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Aut2exe.exe.10.dr, AutoIt3_x64.exe.10.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Aut2exe.exe.10.dr, AutoIt3_x64.exe.10.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Aut2exe.exe.10.dr, AutoIt3_x64.exe.10.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Aut2exe.exe.10.dr, AutoIt3_x64.exe.10.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: jp2launcher.exe.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: jp2launcher.exe.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: jp2launcher.exe.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: jp2launcher.exe.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: jp2launcher.exe.10.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Plat#U0103 revizuit#U0103_shrunk.exe, 0000000A.00000002.2664741761.0000000001130000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: jp2launcher.exe.10.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: jp2launcher.exe.10.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: jp2launcher.exe.10.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: jp2launcher.exe.10.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Aut2exe.exe.10.dr, AutoIt3_x64.exe.10.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Aut2exe.exe.10.dr, AutoIt3_x64.exe.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Aut2exe.exe.10.dr, AutoIt3_x64.exe.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Aut2exe.exe.10.dr, AutoIt3_x64.exe.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: officeappguardwin32.exe.10.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service
Source: officeappguardwin32.exe.10.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects
Source: officeappguardwin32.exe.10.dr	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfR
Source: Plat#U0103 revizuit#U0103_shrunk.exe, 00000000.00000002.2202989415.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, iKHPXKiqI.exe, 0000000B.00000002.2322866054.0000000003127000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Aut2exe.exe.10.dr, AutoIt3_x64.exe.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Aut2exe.exe.10.dr, AutoIt3_x64.exe.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: officeappguardwin32.exe.10.dr	String found in binary or memory: http://tempuri.org/
Source: SPREADSHEETCOMPARE.EXE.10.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: officeappguardwin32.exe.10.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUser
Source: officeappguardwin32.exe.10.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUserResponse
Source: officeappguardwin32.exe.10.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUser
Source: officeappguardwin32.exe.10.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUserResponse
Source: officeappguardwin32.exe.10.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfig
Source: officeappguardwin32.exe.10.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfigResponse
Source: officeappguardwin32.exe.10.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettings
Source: officeappguardwin32.exe.10.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettingsResponse
Source: officeappguardwin32.exe.10.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettings
Source: officeappguardwin32.exe.10.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingsResponse
Source: officeappguardwin32.exe.10.dr	String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/R
Source: Aut2exe.exe.10.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: Aut2exe.exe.10.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/8
Source: AutoIt3_x64.exe.10.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: jp2launcher.exe.10.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: OcPubMgr.exe.10.dr	String found in binary or memory: http://xml.org/sax/properties/lexical-handlerhttp://xml.org/sax/features/namespace-prefixeshttp://xm
Source: Plat#U0103 revizuit#U0103_shrunk.exe, 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, Plat#U0103 revizuit#U0103_shrunk.exe, 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Plat#U0103 revizuit#U0103_shrunk.exe, 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, Plat#U0103 revizuit#U0103_shrunk.exe, 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7000875199:AAGcJDBHFcfVUBvhBO4xZLw34OXk1NWXSe0/
Source: pwahelper.exe1.10.dr, setup.exe.10.dr, pwahelper.exe0.10.dr, pwahelper.exe.10.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: pwahelper.exe1.10.dr, setup.exe.10.dr, pwahelper.exe0.10.dr, pwahelper.exe.10.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: NisSrv.exe0.10.dr	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: NisSrv.exe0.10.dr	String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: NisSrv.exe0.10.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: Aut2exe.exe.10.dr, AutoIt3_x64.exe.10.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Aut2exe.exe.10.dr, AutoIt3_x64.exe.10.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: FLTLDR.EXE.10.dr

Binary or memory string: RegisterRawInputDevices

memstr_c04288df-1

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.Plat#U0103 revizuit#U0103_shrunk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Neshta Author: ditekSHen
Source: 10.2.Plat#U0103 revizuit#U0103_shrunk.exe.40a698.1.unpack, type: UNPACKEDPE	Matched rule: Detects Neshta Author: ditekSHen
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Neshta Author: ditekSHen

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

File created: C:\Windows\svchost.com

Jump to behavior

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 0_2_012CDEEC	0_2_012CDEEC
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 0_2_07164510	0_2_07164510
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 0_2_07166580	0_2_07166580
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 0_2_07166148	0_2_07166148
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 0_2_0716D148	0_2_0716D148
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 0_2_07166E58	0_2_07166E58
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 0_2_07166E48	0_2_07166E48
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 0_2_07164948	0_2_07164948
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Code function: 11_2_02ECDEEC	11_2_02ECDEEC
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Code function: 11_2_054D0040	11_2_054D0040
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Code function: 11_2_054D0006	11_2_054D0006
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Code function: 11_2_071C6E58	11_2_071C6E58
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Code function: 11_2_071C6E48	11_2_071C6E48
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Code function: 11_2_071C4510	11_2_071C4510
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Code function: 11_2_071C6580	11_2_071C6580
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Code function: 11_2_071C4948	11_2_071C4948
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Code function: 11_2_071C6148	11_2_071C6148

Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1748

Source: msedgewebview2.exe.10.dr	Static PE information: No import functions for PE file found
Source: msedge_proxy.exe.10.dr	Static PE information: No import functions for PE file found

Source: Plat#U0103 revizuit#U0103_shrunk.exe, 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Plat#U0103 revizuit#U0103_shrunk.exe
Source: Plat#U0103 revizuit#U0103_shrunk.exe, 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1dc79151-ab82-45c7-a1ea-3f75fbff36ed.exe4 vs Plat#U0103 revizuit#U0103_shrunk.exe
Source: Plat#U0103 revizuit#U0103_shrunk.exe, 00000000.00000002.2201009082.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Plat#U0103 revizuit#U0103_shrunk.exe
Source: Plat#U0103 revizuit#U0103_shrunk.exe, 00000000.00000002.2221290682.0000000007E50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Plat#U0103 revizuit#U0103_shrunk.exe
Source: Plat#U0103 revizuit#U0103_shrunk.exe, 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1dc79151-ab82-45c7-a1ea-3f75fbff36ed.exe4 vs Plat#U0103 revizuit#U0103_shrunk.exe
Source: Plat#U0103 revizuit#U0103_shrunk.exe, 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Plat#U0103 revizuit#U0103_shrunk.exe
Source: Plat#U0103 revizuit#U0103_shrunk.exe, 00000000.00000002.2216989105.0000000006F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename;' vs Plat#U0103 revizuit#U0103_shrunk.exe
Source: Plat#U0103 revizuit#U0103_shrunk.exe	Binary or memory string: OriginalFilenameWmQc.exe> vs Plat#U0103 revizuit#U0103_shrunk.exe

Source: Plat#U0103 revizuit#U0103_shrunk.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.Plat#U0103 revizuit#U0103_shrunk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: 10.2.Plat#U0103 revizuit#U0103_shrunk.exe.40a698.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta

Source: Plat#U0103 revizuit#U0103_shrunk.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: iKHPXKiqI.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, Q3cYm63WTXjOtmGRQk.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, Q3cYm63WTXjOtmGRQk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, Q3cYm63WTXjOtmGRQk.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, EWBDlTwtvjH60TEEpY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, Q3cYm63WTXjOtmGRQk.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, Q3cYm63WTXjOtmGRQk.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, Q3cYm63WTXjOtmGRQk.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, EWBDlTwtvjH60TEEpY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: OfficeScrBroker.exe.10.dr	Binary string: NtCreateFilentdll.dll\Device\Afd\WepollNtWaitForKeyedEventNtCreateKeyedEventRtlNtStatusToDosErrorNtDeviceIoControlFileNtReleaseKeyedEventtcpwsipcudp%s (%s:%d)
Source: MpCmdRun.exe2.10.dr	Binary string: IdImageFileNameFirst Resource TypeTypeScan SourceFirst Resource PathuserIdResource CountReasonProcessMessagePIDStartStopDataIsSignedFile\Device\\\?\\FI_UNKNOWN\drivers\error: invalid data: System Windows path changed during the trace from "%ls" to "%ls"

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@19/195@0/0

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

File created: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3816:120:WilError_03
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4560:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3748

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

File created: C:\Users\user\AppData\Local\Temp\tmpAD6D.tmp

Jump to behavior

Source: Plat#U0103 revizuit#U0103_shrunk.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Plat#U0103 revizuit#U0103_shrunk.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Plat#U0103 revizuit#U0103_shrunk.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

File read: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe"
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKHPXKiqI.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKHPXKiqI" /XML "C:\Users\user\AppData\Local\Temp\tmpAD6D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe"
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe C:\Users\user\AppData\Roaming\iKHPXKiqI.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1748
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKHPXKiqI.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKHPXKiqI" /XML "C:\Users\user\AppData\Local\Temp\tmpAD6D.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Plat#U0103 revizuit#U0103_shrunk.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Plat#U0103 revizuit#U0103_shrunk.exe

Static file information: File size 1592832 > 1048576

Source: Plat#U0103 revizuit#U0103_shrunk.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Plat#U0103 revizuit#U0103_shrunk.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe1.10.dr, pwahelper.exe0.10.dr, pwahelper.exe.10.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb@@4 source: jp2launcher.exe.10.dr
Source:	Binary string: NisSrv.pdb source: NisSrv.exe0.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\selfcert.pdb source: SELFCERT.EXE.10.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WmQc.pdbs\WmQc.pdbpdbmQc.pdbg\WmQc.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2317304776.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: HP^o(C:\Windows\WmQc.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2317304776.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\SpreadsheetCompare.pdb source: SPREADSHEETCOMPARE.EXE.10.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\delivery\x-none\ose.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OSE.EXE.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.10.dr
Source:	Binary string: \??\C:\Windows\exe\WmQc.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdbOGP source: setup.exe.10.dr
Source:	Binary string: C:\Windows\WmQc.pdbpdbmQc.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !!.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2317304776.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: WmQc.pdb^1w^ source: iKHPXKiqI.exe, 0000000B.00000002.2317304776.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\graphics_filterloader\x-none\FLTLDR.pdb source: FLTLDR.EXE.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\namecontrolserver.pdb source: NAMECONTROLSERVER.EXE.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.10.dr
Source:	Binary string: WmQc.pdb21-2246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32EW source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbE source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @jo.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2317304776.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb} source: iKHPXKiqI.exe, 0000000B.00000002.2318435074.0000000001373000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ker.pdb source: OfficeScrBroker.exe.10.dr
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.10.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbZ source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: chrome.exe.10.dr
Source:	Binary string: WmQc.pdbSHA256 source: iKHPXKiqI.exe, 0000000B.00000002.2318435074.0000000001405000.00000004.00000020.00020000.00000000.sdmp, Plat#U0103 revizuit#U0103_shrunk.exe
Source:	Binary string: symbols\exe\WmQc.pdbjo source: iKHPXKiqI.exe, 0000000B.00000002.2317304776.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\iKHPXKiqI.PDB source: iKHPXKiqI.exe, 0000000B.00000002.2317304776.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: r.pdb source: AppSharingHookController.exe.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb source: OcPubMgr.exe.10.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dcf\x-none\FileCompare.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: filecompare.exe.10.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MsMpEng.pdbGCTL source: MsMpEng.exe0.10.dr, MsMpEng.exe.10.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb source: jp2launcher.exe.10.dr
Source:	Binary string: ?joC:\Users\user\AppData\Roaming\WmQc.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2317304776.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\WmQc.pdbe source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007AF5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrbroker.pdbker.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OfficeScrBroker.exe.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\orgchart.pdb source: ORGCHART.EXE.10.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdb source: setup.exe.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\orgchart.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: ORGCHART.EXE.10.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbP source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\delivery\x-none\ose.pdb source: OSE.EXE.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\selfcert.pdbT.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SELFCERT.EXE.10.dr
Source:	Binary string: MpCmdRun.pdbGCTL source: MpCmdRun.exe1.10.dr, MpCmdRun.exe0.10.dr, MpCmdRun.exe2.10.dr
Source:	Binary string: \??\C:\Windows\WmQc.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.10.dr
Source:	Binary string: MpCmdRun.pdb source: MpCmdRun.exe1.10.dr, MpCmdRun.exe0.10.dr, MpCmdRun.exe2.10.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb.1D source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\perfboost.pdb source: PerfBoost.exe.10.dr
Source:	Binary string: MicrosoftEdgeUpdateCore_unsigned.pdbd source: MicrosoftEdgeUpdateCore.exe.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OcPubMgr.exe.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\iKHPXKiqI.PDB source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb source: ai.exe0.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SCANPST.EXE.10.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\graphics_filterloader\x-none\FLTLDR.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: FLTLDR.EXE.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.10.dr
Source:	Binary string: T.pdb source: SELFCERT.EXE.10.dr
Source:	Binary string: in32.pdb source: officeappguardwin32.exe.10.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe1.10.dr, pwahelper.exe0.10.dr, pwahelper.exe.10.dr
Source:	Binary string: WmQc.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp, iKHPXKiqI.exe, 0000000B.00000002.2318435074.0000000001405000.00000004.00000020.00020000.00000000.sdmp, iKHPXKiqI.exe, 0000000B.00000002.2317304776.0000000000DD7000.00000004.00000010.00020000.00000000.sdmp, Plat#U0103 revizuit#U0103_shrunk.exe
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\WmQc.pdbj source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrbroker.pdb source: OfficeScrBroker.exe.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.10.dr
Source:	Binary string: MicrosoftEdgeUpdateCore_unsigned.pdb source: MicrosoftEdgeUpdateCore.exe.10.dr
Source:	Binary string: NisSrv.pdbGCTL source: NisSrv.exe0.10.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2318435074.0000000001373000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MsMpEng.pdb source: MsMpEng.exe0.10.dr, MsMpEng.exe.10.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb/ source: ai.exe0.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\perfboost.pdbb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: PerfBoost.exe.10.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\namecontrolserver.pdbb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: NAMECONTROLSERVER.EXE.10.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\WmQc.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007B0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb source: SCANPST.EXE.10.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dcf\x-none\FileCompare.pdb source: filecompare.exe.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\WmQc.pdb source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007AF5000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Plat#U0103 revizuit#U0103_shrunk.exe, MainForm.cs	.Net Code: InitializeComponent
Source: iKHPXKiqI.exe.0.dr, MainForm.cs	.Net Code: InitializeComponent
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.2c8a258.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.2c7da30.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, Q3cYm63WTXjOtmGRQk.cs	.Net Code: A4fr1GoWJPe2RT1Dwen System.Reflection.Assembly.Load(byte[])
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.5360000.5.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.2cd9b3c.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.2ccc98c.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, Q3cYm63WTXjOtmGRQk.cs	.Net Code: A4fr1GoWJPe2RT1Dwen System.Reflection.Assembly.Load(byte[])
Source: msedge_proxy.exe.10.dr, MainForm.cs	.Net Code: InitializeComponent

Source: Plat#U0103 revizuit#U0103_shrunk.exe

Static PE information: 0xC91F9674 [Fri Dec 4 06:55:48 2076 UTC]

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 0_2_012CE02D push ebp; retn 0002h	0_2_012CE032
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 0_2_012CAFCA push esi; iretd	0_2_012CAFCB
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 0_2_0716419D push B9FFFFFFh; ret	0_2_071641A2
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_0040802C push 00408052h; ret	10_2_0040804A
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_004070A4 push 004070D0h; ret	10_2_004070C8
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_004041D8 push 00404204h; ret	10_2_004041FC
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_004041A0 push 004041CCh; ret	10_2_004041C4
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_00404256 push 00404284h; ret	10_2_0040427C
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_00404258 push 00404284h; ret	10_2_0040427C
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_00404210 push 0040423Ch; ret	10_2_00404234
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_004042C8 push 004042F4h; ret	10_2_004042EC
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_00404290 push 004042BCh; ret	10_2_004042B4
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_00404370 push 0040439Ch; ret	10_2_00404394
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_00404300 push 0040432Ch; ret	10_2_00404324
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_00404338 push 00404364h; ret	10_2_0040435C
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_004043E0 push 0040440Ch; ret	10_2_00404404
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_004043A8 push 004043D4h; ret	10_2_004043CC
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_00406CE0 push 00406D36h; ret	10_2_00406D2E
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_0040DCAC push ss; iretd	10_2_0040DD4C
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_00403D28 push 00403D79h; ret	10_2_00403D71
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_0040DE43 push cs; iretd	10_2_0040DE4E
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_0040DEF1 push cs; iretd	10_2_0040DF14
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_00403F58 push 00403F84h; ret	10_2_00403F7C
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_0040DF15 push ss; iretd	10_2_0040DF4A
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_00403F90 push 00403FBCh; ret	10_2_00403FB4
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Code function: 11_2_054DEB08 pushfd ; iretd	11_2_054DEB09
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Code function: 11_2_071C419D push B9FFFFFFh; ret	11_2_071C41A2

Source: Plat#U0103 revizuit#U0103_shrunk.exe	Static PE information: section name: .text entropy: 7.864633377561674
Source: iKHPXKiqI.exe.0.dr	Static PE information: section name: .text entropy: 7.864633377561674

Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.2c8a258.0.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.2c8a258.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.2c7da30.3.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.2c7da30.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, i3QFsjjoAPkUndGBmc.cs	High entropy of concatenated method names: 'nxBhvINf01', 'JM5hJVYI0G', 'xkyh5PXUgn', 'DFJhC5ZybL', 'RebhsmNwGI', 'iF3hNIpSUS', 'vmkhGGiMUL', 'AWnLaUPho5', 'QsULMQN5ay', 'hhDLjgUMCR'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, lympCmhAo8DkBB5YJn.cs	High entropy of concatenated method names: 'bCrOkBj3yF', 'lQUO06s2Un', 'RpHOy05m9w', 'JyKOcc9mZl', 'GXXOKH4pcU', 'R6FOeL3XCN', 'qBKOtvRvS6', 'Ge9OH13XRJ', 'CGsOYrVOF5', 'sJxODRq5NA'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, Ev4NU9fl0WsJ9RcSij.cs	High entropy of concatenated method names: 'TsKEUapl2Y', 'jVwESIyy1n', 'ToString', 'M0MECN8NWQ', 'q1ZEsCsu0i', 'J09E48r9q1', 'WYKENl8E8n', 'paVEGsDPgw', 'gBZEFn2Jgh', 'aMDEVMp6JD'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, EWBDlTwtvjH60TEEpY.cs	High entropy of concatenated method names: 'V9hs202UtI', 'sIAs6dkNkR', 'lyTs1aJDbd', 'b5IsosevID', 'HYYsdq58oj', 'T1WsT9MWZ3', 'tpUsa0w3Q4', 'YHisMRBWwf', 'gAYsj4tOJP', 't0Rsn7M02o'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, dHK0JAuufJel4uCYfC.cs	High entropy of concatenated method names: 'leM4PP1phQ', 'AeU49aHpqw', 'DId4kS12me', 'yNb40SQfX7', 'fag48WwoFd', 'qM74pIsRni', 'Hm24E47CPI', 'loJ4Lm9YO0', 'rGL4hSDSqC', 'xeI43pJhBf'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, lbaPktE2bTWtbRkDt5.cs	High entropy of concatenated method names: 'fO0FCfV5kk', 'n8VF4mcPfI', 'jvJFGMXW5B', 'jUqGnuhGS0', 'sxxGzlKef0', 'NytFuOeJJg', 'l5dFvxweGj', 'fLfFbECSmX', 'wytFJbRSIg', 'FXvF5UFpKL'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, qodqsKeqLvo5DFFps0.cs	High entropy of concatenated method names: 'R7BNi9Opoc', 'rx8NXlbyXH', 'EOU4Q10dXb', 'Sut4KeJ4DH', 'NVO4etyoNx', 'PA047gnhPe', 'yCA4tPmLFn', 'NVp4HpoKyC', 'Ebw4Z1ebnZ', 'sCs4YrwrqI'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, nIZjT41dYUX23CleyT.cs	High entropy of concatenated method names: 'SnXFlWS2UG', 'AyaFBAWhW8', 'BypFrojx4u', 'uIHFP6sISb', 'C3bFixMA9I', 'yFNF9E6hFn', 'UFkFXiPDbr', 'eFDFkZU7mU', 'lEZF0KuY5m', 'BUKFqU1nPG'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, HDAe46A2O6fF0GX7vE.cs	High entropy of concatenated method names: 'CbFLC7kTI7', 'CfPLs2xjxu', 'wIeL4SnWyK', 'e2yLNv8ENY', 'TdMLGGH3iD', 'SG7LFTibTy', 'CybLVcKHjY', 'vxGLm8du6p', 'PuGLUGNTKM', 'aJgLS3G1L9'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, l33W9b55KZlmGgZZfOs.cs	High entropy of concatenated method names: 'ToString', 'gNp3JLDgqY', 'NBd35L6JMk', 'dKm3R52w7F', 'McF3CCqiHI', 'vuW3s9hcrZ', 'gXt34o9f0C', 'dQx3NfuSva', 'Lat0GLFrDZVByffRPNb', 'VNAPKiFtZypWVKxQwZm'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, uhS9RZ5ahWF0HqJupPq.cs	High entropy of concatenated method names: 'bT3hllU7bm', 'riFhBPMJj4', 'BWkhrcPq6D', 'gWxhP1CnkK', 'bRNhiDwCFY', 'tCYh9GJi6I', 'pMRhXQs52t', 'wR0hkdx87w', 'uhoh0ElEX5', 'hAahqumiXV'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, mnZWJCLmR68gF25k1b.cs	High entropy of concatenated method names: 'ektEMLI7i1', 'NPOEnYTQ6u', 'IogLuOZpJG', 'oP6LvwT5cX', 'DItEDmUFmj', 'y4qEgkEiGO', 'PCpExVbt4e', 'O25E2rZJ8U', 'hfpE6frD0Z', 'bNcE19aM3V'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, nNpPf2bbiU0wr5aAbG.cs	High entropy of concatenated method names: 'tJRGRppK14', 'KQ6Gscq9nC', 'Aw9GNvOMqU', 'tdxGFBqoCC', 'sf2GVJNRk1', 'slfNd9Y4M5', 'BKTNTEIoXV', 'raCNaItRTA', 'qPuNMpb1li', 'uoFNj2jhRw'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, Q3cYm63WTXjOtmGRQk.cs	High entropy of concatenated method names: 'pZeJRwNh2J', 'BlsJCUKBu2', 'mtDJsoE9gD', 'ybTJ4584LE', 'SUXJNKU7EM', 'vDFJGXmog0', 'ge8JFWUm4L', 'cysJVjHT6L', 'vuKJmO8QX7', 'yxoJU4C5Mf'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, sMffnmzUkmObinjZBa.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DuqhO678ql', 'svQh8yDKvO', 'uiIhph5941', 'urhhEKAGJX', 'FskhLhjcvS', 'vhXhhTkTrL', 'IdDh341Q5i'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, j1GIrwPHgpSbc4PlfT.cs	High entropy of concatenated method names: 'NXCLy4vJ15', 'DFjLcRAklq', 'JhYLQOFx6s', 'j4pLKWHI7c', 'JP1L29CoYY', 'ivwLe24UBS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, jwCfPD5VUsRfBbdgXYY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LMU32Gy81E', 'VJy36eEJRV', 'fgM31Pfw61', 'b2Z3ooitw5', 'rdi3dMVCrd', 'DOZ3ToEYNX', 'U1f3ap0T89'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, dakg5lc8YcgJC3pGDS.cs	High entropy of concatenated method names: 'lePvFRIqSx', 'c9hvV9VkPp', 'iBcvUhBxTs', 'mxCvSbavG5', 'IH3v8OBY0Q', 'KVYvpUnBfd', 'WE6VVmIR9HqicFOc58', 'rOxHNId5OOW8VoUcUp', 'iTovvgOlHw', 'La7vJ753jb'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, wBrAhgpZKKs8gFMTeX.cs	High entropy of concatenated method names: 'rhurNtPmf', 'Bw0PyZ1Mv', 's6g9tv3f0', 'X5UXnJ8aR', 'vtV0N97Io', 'IUjqK3unb', 'RRP6f4XvZxghQE4Zun', 'zxSjGJqkJljY7ZFRtM', 'Vv9Ly93yF', 'tvl3jahZF'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, nv7pDIdaGY08lNoLhp.cs	High entropy of concatenated method names: 'Dispose', 'ptOvjw0vRq', 'AjebcTD0Y4', 'fhvIIrHU6h', 'iFQvnM6hpK', 'fkUvzK4eqi', 'ProcessDialogKey', 's9gbucpt7e', 'AShbvSd6kj', 'UOhbb4MUYb'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.5360000.5.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.5360000.5.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.2cd9b3c.1.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.2cd9b3c.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.2ccc98c.2.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.2ccc98c.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, i3QFsjjoAPkUndGBmc.cs	High entropy of concatenated method names: 'nxBhvINf01', 'JM5hJVYI0G', 'xkyh5PXUgn', 'DFJhC5ZybL', 'RebhsmNwGI', 'iF3hNIpSUS', 'vmkhGGiMUL', 'AWnLaUPho5', 'QsULMQN5ay', 'hhDLjgUMCR'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, lympCmhAo8DkBB5YJn.cs	High entropy of concatenated method names: 'bCrOkBj3yF', 'lQUO06s2Un', 'RpHOy05m9w', 'JyKOcc9mZl', 'GXXOKH4pcU', 'R6FOeL3XCN', 'qBKOtvRvS6', 'Ge9OH13XRJ', 'CGsOYrVOF5', 'sJxODRq5NA'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, Ev4NU9fl0WsJ9RcSij.cs	High entropy of concatenated method names: 'TsKEUapl2Y', 'jVwESIyy1n', 'ToString', 'M0MECN8NWQ', 'q1ZEsCsu0i', 'J09E48r9q1', 'WYKENl8E8n', 'paVEGsDPgw', 'gBZEFn2Jgh', 'aMDEVMp6JD'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, EWBDlTwtvjH60TEEpY.cs	High entropy of concatenated method names: 'V9hs202UtI', 'sIAs6dkNkR', 'lyTs1aJDbd', 'b5IsosevID', 'HYYsdq58oj', 'T1WsT9MWZ3', 'tpUsa0w3Q4', 'YHisMRBWwf', 'gAYsj4tOJP', 't0Rsn7M02o'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, dHK0JAuufJel4uCYfC.cs	High entropy of concatenated method names: 'leM4PP1phQ', 'AeU49aHpqw', 'DId4kS12me', 'yNb40SQfX7', 'fag48WwoFd', 'qM74pIsRni', 'Hm24E47CPI', 'loJ4Lm9YO0', 'rGL4hSDSqC', 'xeI43pJhBf'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, lbaPktE2bTWtbRkDt5.cs	High entropy of concatenated method names: 'fO0FCfV5kk', 'n8VF4mcPfI', 'jvJFGMXW5B', 'jUqGnuhGS0', 'sxxGzlKef0', 'NytFuOeJJg', 'l5dFvxweGj', 'fLfFbECSmX', 'wytFJbRSIg', 'FXvF5UFpKL'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, qodqsKeqLvo5DFFps0.cs	High entropy of concatenated method names: 'R7BNi9Opoc', 'rx8NXlbyXH', 'EOU4Q10dXb', 'Sut4KeJ4DH', 'NVO4etyoNx', 'PA047gnhPe', 'yCA4tPmLFn', 'NVp4HpoKyC', 'Ebw4Z1ebnZ', 'sCs4YrwrqI'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, nIZjT41dYUX23CleyT.cs	High entropy of concatenated method names: 'SnXFlWS2UG', 'AyaFBAWhW8', 'BypFrojx4u', 'uIHFP6sISb', 'C3bFixMA9I', 'yFNF9E6hFn', 'UFkFXiPDbr', 'eFDFkZU7mU', 'lEZF0KuY5m', 'BUKFqU1nPG'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, HDAe46A2O6fF0GX7vE.cs	High entropy of concatenated method names: 'CbFLC7kTI7', 'CfPLs2xjxu', 'wIeL4SnWyK', 'e2yLNv8ENY', 'TdMLGGH3iD', 'SG7LFTibTy', 'CybLVcKHjY', 'vxGLm8du6p', 'PuGLUGNTKM', 'aJgLS3G1L9'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, l33W9b55KZlmGgZZfOs.cs	High entropy of concatenated method names: 'ToString', 'gNp3JLDgqY', 'NBd35L6JMk', 'dKm3R52w7F', 'McF3CCqiHI', 'vuW3s9hcrZ', 'gXt34o9f0C', 'dQx3NfuSva', 'Lat0GLFrDZVByffRPNb', 'VNAPKiFtZypWVKxQwZm'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, uhS9RZ5ahWF0HqJupPq.cs	High entropy of concatenated method names: 'bT3hllU7bm', 'riFhBPMJj4', 'BWkhrcPq6D', 'gWxhP1CnkK', 'bRNhiDwCFY', 'tCYh9GJi6I', 'pMRhXQs52t', 'wR0hkdx87w', 'uhoh0ElEX5', 'hAahqumiXV'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, mnZWJCLmR68gF25k1b.cs	High entropy of concatenated method names: 'ektEMLI7i1', 'NPOEnYTQ6u', 'IogLuOZpJG', 'oP6LvwT5cX', 'DItEDmUFmj', 'y4qEgkEiGO', 'PCpExVbt4e', 'O25E2rZJ8U', 'hfpE6frD0Z', 'bNcE19aM3V'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, nNpPf2bbiU0wr5aAbG.cs	High entropy of concatenated method names: 'tJRGRppK14', 'KQ6Gscq9nC', 'Aw9GNvOMqU', 'tdxGFBqoCC', 'sf2GVJNRk1', 'slfNd9Y4M5', 'BKTNTEIoXV', 'raCNaItRTA', 'qPuNMpb1li', 'uoFNj2jhRw'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, Q3cYm63WTXjOtmGRQk.cs	High entropy of concatenated method names: 'pZeJRwNh2J', 'BlsJCUKBu2', 'mtDJsoE9gD', 'ybTJ4584LE', 'SUXJNKU7EM', 'vDFJGXmog0', 'ge8JFWUm4L', 'cysJVjHT6L', 'vuKJmO8QX7', 'yxoJU4C5Mf'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, sMffnmzUkmObinjZBa.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DuqhO678ql', 'svQh8yDKvO', 'uiIhph5941', 'urhhEKAGJX', 'FskhLhjcvS', 'vhXhhTkTrL', 'IdDh341Q5i'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, j1GIrwPHgpSbc4PlfT.cs	High entropy of concatenated method names: 'NXCLy4vJ15', 'DFjLcRAklq', 'JhYLQOFx6s', 'j4pLKWHI7c', 'JP1L29CoYY', 'ivwLe24UBS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, jwCfPD5VUsRfBbdgXYY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LMU32Gy81E', 'VJy36eEJRV', 'fgM31Pfw61', 'b2Z3ooitw5', 'rdi3dMVCrd', 'DOZ3ToEYNX', 'U1f3ap0T89'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, dakg5lc8YcgJC3pGDS.cs	High entropy of concatenated method names: 'lePvFRIqSx', 'c9hvV9VkPp', 'iBcvUhBxTs', 'mxCvSbavG5', 'IH3v8OBY0Q', 'KVYvpUnBfd', 'WE6VVmIR9HqicFOc58', 'rOxHNId5OOW8VoUcUp', 'iTovvgOlHw', 'La7vJ753jb'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, wBrAhgpZKKs8gFMTeX.cs	High entropy of concatenated method names: 'rhurNtPmf', 'Bw0PyZ1Mv', 's6g9tv3f0', 'X5UXnJ8aR', 'vtV0N97Io', 'IUjqK3unb', 'RRP6f4XvZxghQE4Zun', 'zxSjGJqkJljY7ZFRtM', 'Vv9Ly93yF', 'tvl3jahZF'
Source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.7e50000.6.raw.unpack, nv7pDIdaGY08lNoLhp.cs	High entropy of concatenated method names: 'Dispose', 'ptOvjw0vRq', 'AjebcTD0Y4', 'fhvIIrHU6h', 'iFQvnM6hpK', 'fkUvzK4eqi', 'ProcessDialogKey', 's9gbucpt7e', 'AShbvSd6kj', 'UOhbb4MUYb'

Persistence and Installation Behavior

Yara detected Neshta

Source: Yara match	File source: 10.2.Plat#U0103 revizuit#U0103_shrunk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Plat#U0103 revizuit#U0103_shrunk.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2664611600.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2202989415.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Plat#U0103 revizuit#U0103_shrunk.exe PID: 4836, type: MEMORYSTR

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Boot Survival

Yara detected Neshta

Source: Yara match	File source: 10.2.Plat#U0103 revizuit#U0103_shrunk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Plat#U0103 revizuit#U0103_shrunk.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2664611600.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2202989415.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Plat#U0103 revizuit#U0103_shrunk.exe PID: 4836, type: MEMORYSTR

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKHPXKiqI" /XML "C:\Users\user\AppData\Local\Temp\tmpAD6D.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Plat#U0103 revizuit#U0103_shrunk.exe PID: 3380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iKHPXKiqI.exe PID: 3748, type: MEMORYSTR

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Memory allocated: 1250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Memory allocated: 2C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Memory allocated: 4C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Memory allocated: 8030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Memory allocated: 9030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Memory allocated: 9200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Memory allocated: A200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Memory allocated: 2E60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Memory allocated: 30C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Memory allocated: 7E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Memory allocated: 8E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Memory allocated: 8FC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Memory allocated: 9FC0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5450	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 593	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7502	Jump to behavior

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDefenderCoreService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Install\{EB80938B-EC00-4683-A2CC-456206E3A4E1}\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source user\OSE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe TID: 5140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5696	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3856	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5236	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5704	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_00405080 FindFirstFileA,FindNextFileA,FindClose,	10_2_00405080
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_00405634 FindFirstFileA,FindNextFileA,FindClose,	10_2_00405634
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_00404F6C FindFirstFileA,FindClose,	10_2_00404F6C
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Code function: 10_2_004056A7 FindFirstFileA,FindNextFileA,FindClose,	10_2_004056A7

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

Code function: 10_2_00406D40 GetLogicalDriveStringsA,GetDriveTypeA,

10_2_00406D40

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\	Jump to behavior

Source: iKHPXKiqI.exe, 0000000B.00000002.2334957405.0000000007AF5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

API call chain: ExitProcess graph end node

graph_10-6162

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe"
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKHPXKiqI.exe"
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKHPXKiqI.exe"	Jump to behavior

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe			Jump to dropped file

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

Memory written: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKHPXKiqI.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iKHPXKiqI" /XML "C:\Users\user\AppData\Local\Temp\tmpAD6D.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Process created: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe "C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe"	Jump to behavior

Source: AutoIt3_x64.exe.10.dr

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

Code function: GetLocaleInfoA,

10_2_00403CB4

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Queries volume information: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Queries volume information: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

Code function: 10_2_004057D8 GetLocalTime,

10_2_004057D8

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

Code function: 10_2_00403D7D GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

10_2_00403D7D

Source: C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Plat#U0103 revizuit#U0103_shrunk.exe PID: 3380, type: MEMORYSTR

Yara detected Neshta

Source: Yara match	File source: 10.2.Plat#U0103 revizuit#U0103_shrunk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Plat#U0103 revizuit#U0103_shrunk.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2664611600.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2202989415.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Plat#U0103 revizuit#U0103_shrunk.exe PID: 4836, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Plat#U0103 revizuit#U0103_shrunk.exe PID: 3380, type: MEMORYSTR

Source: Yara match	File source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Plat#U0103 revizuit#U0103_shrunk.exe PID: 3380, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Plat#U0103 revizuit#U0103_shrunk.exe PID: 3380, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Plat#U0103 revizuit#U0103_shrunk.exe.3cef6e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Plat#U0103 revizuit#U0103_shrunk.exe PID: 3380, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	112 Process Injection	221 Masquerading	11 Input Capture	1 System Time Discovery	1 Taint Shared Content	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	21 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	41 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	112 Process Injection	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	4 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Plat#U0103 revizuit#U0103_shrunk.exe	29%	ReversingLabs
Plat#U0103 revizuit#U0103_shrunk.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://account.dyn.com/	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.autoitscript.com/autoit3/	0%	Avira URL Cloud	safe
http://tempuri.org/IRoamingSettingsService/WriteSettings	0%	Avira URL Cloud	safe
http://tempuri.org/	0%	Avira URL Cloud	safe
http://tempuri.org/DataSet1.xsd	0%	Avira URL Cloud	safe
https://www.autoitscript.com/autoit3/	0%	Avira URL Cloud	safe
http://tempuri.org/IRoamingSettingsService/DisableUserResponse	0%	Avira URL Cloud	safe
http://xml.org/sax/properties/lexical-handlerhttp://xml.org/sax/features/namespace-prefixeshttp://xm	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
https://unitedstates1.ss.wd.microsoft.us/	0%	Avira URL Cloud	safe
http://tempuri.org/IRoamingSettingsService/ReadSettings	0%	Avira URL Cloud	safe
http://tempuri.org/IRoamingSettingsService/WriteSettingsResponse	0%	Avira URL Cloud	safe
http://tempuri.org/IRoamingSettingsService/GetConfigResponse	0%	Avira URL Cloud	safe
http://canonicalizer.ucsuri.tcs/68007400740070003a002f002f00https://F	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfR	0%	Avira URL Cloud	safe
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith	0%	Avira URL Cloud	safe
http://tempuri.org/IRoamingSettingsService/DisableUser	0%	Avira URL Cloud	safe
http://%s/r/rlidVBASelfCert?clid=%d1.3.6.1.5.5.7.3.32.5.29.372.5.29.11.2.840.113549.1.1.5SelfSignedC	0%	Avira URL Cloud	safe
http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/R	0%	Avira URL Cloud	safe
http://tempuri.org/IRoamingSettingsService/GetConfig	0%	Avira URL Cloud	safe
http://tempuri.org/IRoamingSettingsService/ReadSettingsResponse	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/8	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects	0%	Avira URL Cloud	safe
https://unitedstates2.ss.wd.microsoft.us/	0%	Avira URL Cloud	safe
http://tempuri.org/IRoamingSettingsService/EnableUser	0%	Avira URL Cloud	safe
https://unitedstates4.ss.wd.microsoft.us/	0%	Avira URL Cloud	safe
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7000875199:AAGcJDBHFcfVUBvhBO4xZLw34OXk1NWXSe0/	0%	Avira URL Cloud	safe
http://tempuri.org/IRoamingSettingsService/EnableUserResponse	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://tempuri.org/IRoamingSettingsService/WriteSettings	officeappguardwin32.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	AutoIt3_x64.exe.10.dr	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	Plat#U0103 revizuit#U0103_shrunk.exe, 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, Plat#U0103 revizuit#U0103_shrunk.exe, 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service	officeappguardwin32.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/DataSet1.xsd	SPREADSHEETCOMPARE.EXE.10.dr	false	Avira URL Cloud: safe	unknown
https://unitedstates1.ss.wd.microsoft.us/	NisSrv.exe0.10.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	officeappguardwin32.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IRoamingSettingsService/DisableUserResponse	officeappguardwin32.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Plat#U0103 revizuit#U0103_shrunk.exe, 0000000A.00000002.2664741761.0000000001130000.00000004.00000010.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/	Aut2exe.exe.10.dr	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/autoit3/	Aut2exe.exe.10.dr, AutoIt3_x64.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://xml.org/sax/properties/lexical-handlerhttp://xml.org/sax/features/namespace-prefixeshttp://xm	OcPubMgr.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IRoamingSettingsService/WriteSettingsResponse	officeappguardwin32.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IRoamingSettingsService/ReadSettings	officeappguardwin32.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://canonicalizer.ucsuri.tcs/68007400740070003a002f002f00https://F	NisSrv.exe0.10.dr	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfR	officeappguardwin32.exe.10.dr	false	Avira URL Cloud: safe	unknown
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith	pwahelper.exe1.10.dr, setup.exe.10.dr, pwahelper.exe0.10.dr, pwahelper.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IRoamingSettingsService/GetConfig	officeappguardwin32.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IRoamingSettingsService/GetConfigResponse	officeappguardwin32.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/R	officeappguardwin32.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IRoamingSettingsService/DisableUser	officeappguardwin32.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://%s/r/rlidVBASelfCert?clid=%d1.3.6.1.5.5.7.3.32.5.29.372.5.29.11.2.840.113549.1.1.5SelfSignedC	SELFCERT.EXE.10.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IRoamingSettingsService/ReadSettingsResponse	officeappguardwin32.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/8	Aut2exe.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects	officeappguardwin32.exe.10.dr	false	Avira URL Cloud: safe	unknown
http://tempuri.org/IRoamingSettingsService/EnableUser	officeappguardwin32.exe.10.dr	false	Avira URL Cloud: safe	unknown
https://unitedstates2.ss.wd.microsoft.us/	NisSrv.exe0.10.dr	false	Avira URL Cloud: safe	unknown
https://unitedstates4.ss.wd.microsoft.us/	NisSrv.exe0.10.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Plat#U0103 revizuit#U0103_shrunk.exe, 00000000.00000002.2202989415.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, iKHPXKiqI.exe, 0000000B.00000002.2322866054.0000000003127000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/IRoamingSettingsService/EnableUserResponse	officeappguardwin32.exe.10.dr	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7000875199:AAGcJDBHFcfVUBvhBO4xZLw34OXk1NWXSe0/	Plat#U0103 revizuit#U0103_shrunk.exe, 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, Plat#U0103 revizuit#U0103_shrunk.exe, 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff	pwahelper.exe1.10.dr, setup.exe.10.dr, pwahelper.exe0.10.dr, pwahelper.exe.10.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1518504
Start date and time:	2024-09-25 18:50:21 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Plat#U0103 revizuit#U0103_shrunk.exe renamed because original name is a hash value
Original Sample Name:	Plat revizuit_shrunk.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@19/195@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 148 Number of non-executed functions: 20
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Plat#U0103 revizuit#U0103_shrunk.exe

Simulations

Behavior and APIs

Time	Type	Description
12:51:17	API Interceptor	1x Sleep call for process: Plat#U0103 revizuit#U0103_shrunk.exe modified
12:51:19	API Interceptor	33x Sleep call for process: powershell.exe modified
12:51:22	API Interceptor	1x Sleep call for process: iKHPXKiqI.exe modified
12:51:30	API Interceptor	1x Sleep call for process: WerFault.exe modified
18:51:19	Task Scheduler	Run new task: iKHPXKiqI path: C:\Users\user\AppData\Roaming\iKHPXKiqI.exe

Process:	C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	275560
Entropy (8bit):	6.2842915613810275
Encrypted:	false
SSDEEP:	3072:/OSn2M4MBYoP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0BwB:WSnRuo4VQjVsxyItKQNhigibKCM
MD5:	80676B77D5DB65D41E1224C987306531
SHA1:	BCD9AAF542D1794C41C0C3B76D10826DEBFB40C0
SHA-256:	C861A15936B6A16F1E78D0FDB9400319F6F270C8B56B2F06FC732E18753BD230
SHA-512:	5CE24774FFDF7A7AAC432045D438FB2C8924C5D74D9D6AFE3175330226F34B85C28EFCBFC52D68823448D76E4769130B3486E6DD4F70584A356D1CE9D36010CC
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.................0..............8... ...@....@.. ....................................@.................................u8..O....@.......................`......`...p............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................8......H.......tS..lE...........................................................0..d.........}.....(.......(......s7...}.....sM...}.....sM...}.....sM...}......}......}.....~....}......(......0.............o....sO...}.....{.........,n...}.....{.....o......{.....o......{.....{....oI....{....o....X.{....oK....{....o....Xs....o.......(....}........0..Q..........o....sO...}.....{....,..{.......+....,&..{.....{.....{....oe.....{....o......*....0.............o....sO...}.....{....,..{....

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2525651432920988
Encrypted:	false
SSDEEP:	192:hzIBPYZk10BU/iaWeJo1ZruKxrzuiFDZ24IO8oj:VIZuNBU/iax8NzuiFDY4IO8oj
MD5:	9F82904E568542159F955DD26611D131
SHA1:	BB10A3AC5114157D66D79EB25228EAD5B1670745
SHA-256:	BB8D1E1985BEEFC85B3B6CDCA75741E737B753A86E99F9C3C7E723937432B878
SHA-512:	6A62F86E51C40F00E34238EE24B7814FFB7B5AEEEEDEF00D5FF11C3773D949F174F92B9C28FF02D70CD06FA1A60B7A09AB6858B68EB173690EB277CB76DCBFD6
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.5.6.6.8.4.8.3.3.3.6.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.7.5.6.6.8.8.4.7.3.9.8.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.d.8.0.d.1.a.1.-.d.7.b.2.-.4.4.f.8.-.9.e.9.3.-.d.f.8.a.6.1.0.8.e.1.7.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.c.e.4.a.3.7.f.-.9.c.9.8.-.4.9.3.8.-.b.3.0.0.-.b.0.e.2.a.b.8.b.d.3.9.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.i.K.H.P.X.K.i.q.I...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.m.Q.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.a.4.-.0.0.0.1.-.0.0.1.5.-.d.8.c.5.-.2.3.2.5.6.b.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.f.d.2.9.6.b.d.c.7.c.a.a.e.3.5.9.7.c.d.9.0.3.b.4.b.f.6.1.6.e.3.0.0.0.0.0.0.0.0.!.0.0.0.0.7.a.b.4.0.8.8.c.1.6.2.a.d.7.0.f.5.4.5.6.d.a.c.d.1.f.e.3.4.1.5.0.e.2.2.f.9.e.0.d.!.

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.380192968514367
Encrypted:	false
SSDEEP:	48:+WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeoPUyus:+LHyIFKL3IZ2KRH9OugYs
MD5:	9AA3EC09E507E3B6521730FDDCF550A3
SHA1:	19E688C78EB2FBE0D620C0055293DA06411512D0
SHA-256:	E50F69B84C0E4B5D2CFE80C5B7B4AF6398A862F098D06B138388F7D49ABAB0B8
SHA-512:	04B3A49C7FB0DFFF413095AB046296C779A1978D64CDAE35858435A5E41221AE6726421F1FB116EBF7E2DB314602A544F5C8AD7F0F96FCC04D694AD6C1E78E81
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

Process:	C:\Users\user\AppData\Roaming\iKHPXKiqI.exe
File Type:	XML 1.0 document, ASCII text
Category:	modified
Size (bytes):	1596
Entropy (8bit):	5.102563950163282
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLiioxv:cge7QYrFdOFzOzN33ODOiDdKrsuTuiIv
MD5:	2D46D175DAEAAC85A35F484AEFCA4E63
SHA1:	874B060CF631459DB5A083086ADA1A0A24B0A1F2
SHA-256:	A8287B8CD0E79B276FCD317D2E0875D91FAF2EE6BDDC20B0717CAC1C4DE93558
SHA-512:	00639BCA6CC277DF3EB4941B9CC31CBFF597C9CE32696EF17ACF42B0A4E772D260B3D898F575F2E9EE8BF197296BB5EF2721FE3DED34F09F4730BAB0B37F8777
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

Entrypoint:	0x4c38ca
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC91F9674 [Fri Dec 4 06:55:48 2076 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc3875	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x5b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc1f60	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc18d0	0xc1a00	d7d20db8b445dea3ddf618e8dd0b26ed	False	0.9379740961910911	data	7.864633377561674	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc4000	0x5b4	0x600	772d256b13281764708fa34a7f6da0cb	False	0.4225260416666667	data	4.098735699979338	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc6000	0xc	0x200	36c2815940979a4d6e6ec0f09c199d9c	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc4090	0x324	data			0.43283582089552236
RT_MANIFEST	0xc43c4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Target ID:	0
Start time:	12:51:16
Start date:	25/09/2024
Path:	C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Plat#U0103 revizuit#U0103_shrunk.exe"
Imagebase:	0x820000
File size:	1'592'832 bytes
MD5 hash:	8ECA59816DC6007AE4A40DC09AC5B66F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000000.00000002.2202989415.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2205988648.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2205988648.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	12:51:18
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iKHPXKiqI.exe"
Imagebase:	0xdf0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	12:51:21
Start date:	25/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	15
Start time:	12:51:23
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1748
Imagebase:	0x20000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	163
Total number of Limit Nodes:	12

Execution Coverage:	20.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.3%
Total number of Nodes:	1249
Total number of Limit Nodes:	13

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	97.6%
Signature Coverage:	0%
Total number of Nodes:	125
Total number of Limit Nodes:	4

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Plat#U0103 revizuit#U0103_shrunk.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

C:\Program Files (x86)\AutoIt3\Au3Info.exe

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files (x86)\AutoIt3\Uninstall.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

Windows Analysis Report
Plat#U0103 revizuit#U0103_shrunk.exe

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre